How-to
This is a short how-to in staging a SSH master which is the - text file - repository where the pristine sources of all SSH public keys, management scripts and configuration files will be held.
The requirements for a SSH master repository are almost negligible in terms of disk space and CPU resources. However, when triggering a key distribution process, a number of parallel SSH sessions will be spawned which will take up some system resources (see MAX_BACKGROUND_PROCS
setting in the manage_ssh.sh
script). By default this is set to 30.
In terms of network and firewall configurations: all SSH controls client hosts must be reachable through SSH (standard port 22) from the SSH master.
The basic steps to configure a SSH master are (as root user):
- Add a dedicated OS group & user - for example
sshadmin
- who will be the owner of the repository. The administrative account does not need a password (so lock it) but does require a valid shell:
- Create the repository:
- Create a SSH key pair for the
sshadmin
user. This key pair will be used to authenticate on each of the SSH controls client systems when doing an update. If you opt to create a key with passphrase then you must:- make sure you have a SSH agent process running on either SSH master server or your the machine you are originally connecting from (with agent forwarding enabled).
- add this key to the running SSH agent. Failing to do will block any remote update process to client hosts.
- Create the key repository with the keys that need to be distributed. You can choose to either store all keys in one big file or use a
keys.d
directory with separate key files. Make sure you add the keys in the required format! (see Master configuration files for more details):
- Create an initial version of the required master configuration files
Build/edit the access
, alias & targets files to fit your environment.
- Copy the management scripts into the repository:
You may want to review the following settings in the manage_ssh.conf
or manage_ssh.conf.local
configuration files, especially if you are not using the default /etc/ssh_master
& /etc/ssh_controls
paths:
Note: the REMOTE_DIR
& LOCAL_DIR
settings can also be specified as command-line parameters to the manage_ssh.sh
script.
- Copy or configure the client configuration file:
- Perform a syntax check on the configuration files:
Note: the build-in syntax check has limited capabilities. It will not catch all possible errors so CAVEAT EMPTOR.
Example repository
Following is a listing of what a SSH master repository may look like:
Leave a comment