I have about 20 servers...how do I manage the SSH keys and permissions of each?

I have database servers, web servers, SVN servers, etc. Often times I ssh among them...or they auto-ssh.

How do I manage what server gets to log into which others?


I use Puppet, and have a class defined for every key, then classes that include those classes to define the "groups" of keys I have (for us it's people -- so L1 techs, L2 techs, managers, developers -- but you can do db servers, fileservers, svn servers, etc). Then the various types of machines have their own manifests that define which of those groups have access to that type of machine, so development boxes have L1, L2, and developers, prod servers have L1 and L2, sensitive servers just have L2, that sort of thing. Adding a new machine is just a matter of deciding which classes it belongs to and adding a few lines here and there, which we have documented in our new machine commissioning procedures.


We are using OpenLDAP for storing users':

  • public keys
  • passwords
  • uids
  • sudo rights
  • real names
  • phone numbers
  • emails
  • and etc.

It's stable, easy to expand, has a lot of documentation and integration features, so I recommend it.