this post was submitted on 12 Jun 2023
3 points (100.0% liked)

Self Hosted - Self-hosting your services.

11419 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

Important

Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!

Cross-posting

If you see a rule-breaker please DM the mods!

founded 3 years ago
MODERATORS
 

Hey folks, I have multiple VMs and personal machines across multiple cloud providers and I'm beginning to get frustrated with ssh key management. Each personal machine has it's own key so if I lose it or it's compromised I can just remove the key from the vms but it's starting to get tedious making sure everything is up to date and any new keys are added.

Are there any solutions out there that would help?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] themoonisacheese@sh.itjust.works 0 points 1 year ago (1 children)

Tailscale is a VPN built on top of wireguard that identifies you at the network level. This means that as long as you are connecting through your tailnet, you can configure your machines to let you in without an auth challenge (or with a 2fa challenge) through PAM modules. Afaik the auto-login part is beta but you could also run a second sshd that only ever listens to the interface of the VPN and lets you in with no password. Tailscale allows you to set network-level access permissions, per user (though having more than 3(?) Users costs money) and support logging in through ubikey-like keys or oauth.

Or, you can set up a git repo that hosts your Public key, and Cron jobs that pull it every hour/day/whatever. It's safe to publish your Public key in this manner, and if you somehow lose the private key you may simply update the repo and wait for the change to propagate.

Or, Ansible is particularly well suited to public key management, but it's not really automated (you have to run it manually and it connects to every server) so you may end up in a situation where you would like the server to pull valid keys by itself and can't log in manually until it has done so. If that is acceptable to you, Ansible also enables you to manage a lot of your infra (automatic installs and enabling of common daemons such as monitoring comes to mind).

[โ€“] mbell@lemmy.remotelab.uk 1 points 1 year ago

Tailscale sounds like an interesting solution, I already have wireguard vpn which runs on all my personal devices.

At the moment github is my single source of truth for pub keys so having that setup might work, I could also automate the cronjob via ansible when I setup default config on new vms