Open 3noch opened 7 years ago
@3noch I don't think there is any way. I assume you could write a daemon which changes the keys in your deployment host and then it reruns "nixops deploy" to redistribute the keys. But I'm not sure this is way to go. Probably better way would be to implement something like hashicorp vault or some other dynamic secret management.
@spinus Thanks for the idea.
I suppose if I can just add/change the authorized keys for root
on the server, then I could actually manually update the deployment data if I had to (via export/import probably). Is the server's root
SSH key just stored in /root/.ssh/authorized_keys
?
@3noch depends what keys you want to rotate. There I two type of keys in nixops I think.
SSH keys which are used to connect to the machine (I'm not sure were are they stored on target machine, probably in some symlinked authorized_keys as you mentioned, but those are only public keys), private keys I think they are in sqlite or in ssh-agent. Second type of keys is user keys declared with "deployment.keys.
I've come to the conclusion that some story for this should be very high priority. I recently had a really tough time removing access to a server and had to build a new server from scratch! While that's not nearly as hard to do with NixOps as it would be with some other system, it was still much harder and much slower than it ought to be. If you need to rotate keys, then you likely need to do it quickly.
@3noch If your setup allows you to remove the statefile for a deployment, you can recreate it, which will effectively rotate the root ssh key.
@ryantm Interesting! How does that work? How would the deployment ssh into the server and change the keys if it didn't have the old ones?
How would it even know the IP address of the server?
You could copy the old keys somewhere locally, or use some other key temporarily. You can configure additional root keys with users.extraUsers.root.openssh.authorizedKeys.keys
. The IP address can be set with deployment.targetHost
.
@ryantm Wow ok I'll have to do a trial run of this and see how it goes. This would certainly be a very welcome technique if it indeed works.
I did this way:
ssh-keygen
)./etc/ssh/sshd_config
to find the place where your root keys rest. Note that different backends may put it in different places. For example, Hetzner - in /etc/ssh/authorized_keys.d/root
; AWS - /root/.ssh/authorized_keys
. VirtualBox - other fancy place :)I was wondering if I could rotate the ssh keys if a team member that had access to the deployment server would leave my company. I ended up here.
It would be a great feature to have indeed.
The instructions above for rolling root SSH keys were super helpful. I found a couple of extra things worth mentioning:
killall ssh-agent
or otherwise kill some running ssh-agent processes for NixOps to use the new key, though this depends on your setup.
Is it possible to rotate the keys that nixops has generated automatically? At the most basic level this would include the SSH keys for root on each machine.