Updating SSH Keys Across an Environment

Most Linux environments with a sizeable number of servers generally use keys to perform tasks from simple manual administration to gathering manifests, backing up config files across an environment, and really any kind of automation. This is because automation is effectively useless if you have to type a password repeatedly to use it.

I recognize that statement isn’t entirely true with the increase in popularity of the various configuration management tools such as Puppet, Ansible, Chef, SaltStack, etc. However, even with those tools (excepting ansible, since it requires ssh keys to function as well) there are certain edge cases where programatic login is still useful to have an ssh key configured.

That said, if a key is installed to several servers in an environment, like with passwords, it is prudent to cycle this key (or keys) frequently to prevent potential breaches in security that involve the login keys. To make this process a bit easier, I wrote a script that handles the process of key swapping.

With the keymanage script, you can execute the following operation on a list of servers…​

  • push a new key, being prompted for a password (it caches, so you will only be prompted once)

  • push a new key, using another key for passwordless login

  • delete a remote key, again being prompted for a password, or using an ssh key to do passwordless logins

  • Swap a remote key with a different key. Note that this operation is seamless in that it uses the key to be removed for initial login, then the new key to remove the old key.

I hope this script is useful to folks out there. If you have any questions, comments, or improvements you’d like to make, send me an email and/or pull request at nullspoon@iohq.net.


Last edited: February 15, 2016