Manage SSH Keys with Automation

TL;DR

Automate adding, removing, and monitoring SSH keys in your authorized_keys file to improve security and reduce admin overhead. Tools like Ansible, Puppet, Chef, or even simple scripts can help.

1. Why Automate?

Manually managing SSH keys is error-prone and time-consuming, especially with many servers. Automation offers:

• Security: Consistent key management reduces the risk of outdated or compromised keys.
• Efficiency: Quickly provision access for new users or revoke it when needed.
• Auditability: Track changes to authorized keys for compliance and troubleshooting.

2. Choosing an Automation Tool

Several tools can help, depending on your existing infrastructure:

• Ansible: Agentless, uses SSH. Good for simple tasks and smaller environments.
• Puppet/Chef: More complex, require agents on servers. Suitable for large-scale deployments with intricate configurations.
• Custom Scripts: For very specific needs or limited environments. Use with caution; ensure proper error handling and security measures.

3. Automating Key Addition (Ansible Example)

This example shows how to add an SSH key using Ansible.

1. Create an Inventory File: List your servers in a file (e.g., inventory.ini).[servers]
server1 ansible_host=192.168.1.10
server2 ansible_host=192.168.1.11

2. Create an Ansible Playbook: Define the tasks to perform (e.g., add_ssh_key.yml).---
- hosts: servers
become: yes # Required for writing to authorized_keys
tasks:
- name: Add SSH key
authorized_key:
user: your_username
state: present
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA... your_public_key ... your_username@your_host"

3. Run the Playbook: Execute the playbook to add the key.ansible-playbook -i inventory.ini add_ssh_key.yml


4. Automating Key Removal

Similar to addition, use the authorized_key module with state: absent.

--- 
- hosts: servers
  become: yes
  tasks:
    - name: Remove SSH key
      authorized_key:
        user: your_username
        state: absent
        key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA... your_public_key ... your_username@your_host"

5. Monitoring Authorized Keys

Regularly check for unauthorized keys or outdated configurations.

• Scripting: Write a script to parse authorized_keys and alert on anomalies (e.g., unknown key fingerprints).
• Configuration Management Tools: Use Puppet/Chef to enforce desired state and report deviations.
• Log Analysis: Monitor system logs for changes to the authorized_keys file.

Example script snippet (Bash):

#!/bin/bash
for key in $(cat /home/your_username/.ssh/authorized_keys);
do
  fingerprint=$(ssh-keygen -l -f <<< "$key" | awk '{print $2}')
  echo "Key fingerprint: $fingerprint"
done

6. Security Considerations

• Protect Your Automation Credentials: Securely store Ansible keys, Puppet certificates, or script passwords.
• Limit Access: Restrict who can modify the automation infrastructure.
• Regular Audits: Review your automation configurations and logs to ensure they are functioning correctly.
• cyber security best practice: Implement multi-factor authentication where possible.