In each sysadmin's home directory on pip, set ~/.ssh/authorized_keys to be a symlink to /etc/adm-keys/$USER-authorized_keys. Then any key added to pip will automatically appear in this directory
We then set up an rsync daemon to publicize the contents in this directory. Other servers download the list, create and delete user accounts as appropriate, and then symlink the authorized_keys.
Pros and cons
Pros
This does not depend on being on a secure network, since the public keys are
broadcast via https.
There is no single point of failure. There is, however, still a single point of trust.
No external service (e.g. GitHub) has to be trusted
Very simple workflow for users - simply add the key to pip.
Unsolved questions
How to protect the authorized_keys directory from MITM attacks?
Problem to be solved
This is a proposed solution to #4.
Solution details
We set up a directory on pip that contains all sysadmin keys
In each sysadmin's home directory on pip, set
~/.ssh/authorized_keysto be a symlink to/etc/adm-keys/$USER-authorized_keys. Then any key added to pip will automatically appear in this directoryWe then set up an rsync daemon to publicize the contents in this directory. Other servers download the list, create and delete user accounts as appropriate, and then symlink the authorized_keys.
Pros and cons
Pros
This does not depend on being on a secure network, since the public keys are broadcast via https.
There is no single point of failure. There is, however, still a single point of trust.
No external service (e.g. GitHub) has to be trusted
Very simple workflow for users - simply add the key to pip.
Unsolved questions
How to protect the authorized_keys directory from MITM attacks?