Managing Deployment SSH Keys

At Forward the number of virtual machines we're deploying to is increasing steadily; on EC2 alone we have over 30 at the moment. Managing authentication to those servers was becoming more time consuming.

Previously we'd used a specific user with a password that was shared between those that needed to access the machines and keeping that up to date was often unreliable; machines would not be updated with the new password, and everybody would have to be told of the new password.

We wanted something better so we're now using a git repository to sync public keys.

It's easy to manage, easy to add new keys, and easy to track changes. We can manage permissions to the repository, remove keys when necessary, and it's very easy to make sure all machines are constantly up to date.

To do this we have a repository that contains a set of user.pub public key files, copied directly from the user's ~/.ssh/id_dsa.pub file (for example).

Machine images have the GitHub signature already accepted and a clone of the repository. A simple Bash script then executes regularly via cron, pulling any changes and updating the authorized_keys file.

It's been working pretty well so far, much easier than before!