We are looking to switch to key-based management of SSH logins, and wonder if there any key-management systems which would allow us to centrally manage the access keys world-wide.
The system should ideally allow issuing key per client, and revoking them if needed, updating server machine keys on fly.
Does anyone know of such a system, either commercial or open source?
NOTE: To clarify, we need the key management for pretty large amount of cloud servers (EC2-like), and a small amount of service users. I guess LDAP + patch suggest below might be the way to go.
Best Answer
There are plenty of ways of doing this. LDAP key storage has been mentioned a couple of times, and I've done that and it works, as far as it does. LDAP has it's own management curiosities, though, which take some learninating.
I'm a big fan of simple, robust servers that have minimal external network dependencies for simple things like authenticating administrators, so I lean towards a far more robust SSH key distribution strategy -- I have the configuration management system take care of it. Everyone's public key is kept in the configuration management system, and wherever the person needs to be able to login, their key is added. The config system also knows to remove keys that aren't specified, so when someone leaves or their key changes, it's a simple matter of removing the key configuration and on the next config system run, the key is removed.