Hi,<p>I know about SSH certificates and we use them primarily
but we still have systems which use classic pubkeys managed in <i>authorized_keys</i><p>From <i>authorized_keys (5)</i><p><pre><code> Public keys consist of the following space-separated fields:
options keytype base64-encoded-key comment
The options field is optional
The comment field is not used for anything (but may be convenient for the user to identify the key)
</code></pre>
What I often find is something like this<p><pre><code> ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5EYh69EeIDiVYxgy6O4fUWoxiT4cRxb8JkLdikE27a user@host
</code></pre>
which makes it hard to find out how to contact that key owner.<p>So I often use this format:<p><pre><code> ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5EYh69EeIDiVYxgy6O4fUWoxiT4cRxb8JkLdikE27a user@domain.com
</code></pre>
Currently I am thinking about a more generic format
with more info which can be parsed later by Bash, Go or something else.<p>Something like this:<p><pre><code> ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5EYh69EeIDiVYxgy6O4fUWoxiT4cRxb8JkLdikE27a o:user1@host1|e:user1@domain.com|p:manage-vhosts|t:2024-02-21
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICebzmkN9HFcnTfcugV+8sAC1nI9itIL0uriy8lmTc7L o:user2@host2|p:manage-users
</code></pre>
.<p><pre><code> awk '$NF ~ /^.:/ {print $NF}' ~/.ssh/authorized_keys | tr '|' '\n' | awk -F':' '/^o:/ {print "origin="$2}'
awk '$NF ~ /^.:/ {print $NF}' ~/.ssh/authorized_keys | tr '|' '\n' | awk -F':' '/^e:/ {print "email="$2}'
awk '$NF ~ /^.:/ {print $NF}' ~/.ssh/authorized_keys | tr '|' '\n' | awk -F':' '/^p:/ {print "purpose="$2}'
awk '$NF ~ /^.:/ {print $NF}' ~/.ssh/authorized_keys | tr '|' '\n' | awk -F':' '/^t:/ {print "timestamp="$2}'
</code></pre>
.<p><pre><code> origin=user1@host1
origin=user2@host2
email=user1@domain.com
purpose=manage-vhosts
purpose=manage-users
timestamp=2024-02-21
</code></pre>
- What do you use?<p>- Are there any best practices?<p>- Any ideas, comments? (pun intended)
The only thing I can add is that if the key was generated by automation then I <i>or the automation tool</i> put the JIRA number <i>or whatever approval system was used for the project</i> so that auditors questions can be answered.