Our team is reaching a size when we probably need to get serious about SSH key management.<p>I was wondering how different places handle how dev's get access to servers. A shared key? A gatekeeper? Public keys added to all servers?<p>What practices and tools do you use in order to manage this?
ansible pushes authorized_keys to all the boxes -- there's a different keys file for different "clusters" -- dev/prod/staging. Most of the users's keys are the same between these files, but it gives you the ability to have users who have access to dev/staging but not prod pretty easily. All of this config lives in the main git repo.<p>Even if your initial solution is just to copy an authorized_keys file to each box, check that into git. You can just have a small shell script checked in as well that copies the relevant file to the relevant boxes...<p>Also, always have a backdoor account that uses a key you have and isn't updated this way so if someone biffs the key file you push, you don't lock yourself out.
Recently learned of openssh's AuthorizedKeysCommand option, and I've been wondering if it could be used to set up a central "authorised keys" server.
My current company is small. Our servers are in AWS. You can ask AWS to pre-populate authorized_keys when launching servers.<p>In my old company my team maintained a bunch of microservices running on AWS. we used basically the same strategy, except there was one key for each service. Our application server ran on our own datacenter. Access to that was granted through LDAP, not SSH keys.