Define or rotate ssh keys

This short use case shows how to play out or rotate ssh keys on multiple devices.

Video demo

A short video demo can be found here can do any of the following:

  • define one or more ssh key for any user
  • revoke ssh keys
  • define specific ssh keys for a device or a group of devices
  • update ssh keys on a large number of devices
  • rotate ssh keys

Implications of state based ssh key management

qbee works state based. The agent request a configuration from the server and converges to that state. This means that if any user, program or process changes the ssh keys the qbee agent will restore them according to configuration the next time it runs. This gives a certain amount of increased security and proactively prevents deviations in the managed infrastructure. In addition this state will be valid until it is changed. Thus devices that are offline will receive the change the next time they come online. Even spare parts that might have been in a storage for 3 years will immediately pick up the ssh keys from the group they get associated to.

The keys get defined in "Configure -> ssh keys.

In this example the intention is to set a new ssh key for the group " industrial Raspberry Pi" (abbreviated industrialRPI). This group is selected (first red circle). Previously this group had its keys inherited from the main group. Thus we have broken inheritance on the right hand side. It is possible to reset this again (see second red circle). Then the keys from the main definition are used again.


The new key needs to be saved. Then a list of devices that are in scope will be displayed.


If this list is OK the change of the ssh keys can be committed.


Now all devices will pick up the new configuration and change ssh keys accordingly.

The commit and how it propagates through the infrastructure can be seen in the audit tab. Here a detailed description of who did what at what time is recorded. In the image below it can be seen that so far one device has received the new ssh key. In this example devices connect with a frequency of 5 minutes. Thus within 5 minutes all online devices will receive the new key.



qbee allows to easily change or rotate ssh keys. Offline devices will receive the ssh key the next time they connect online. If a device is moved to a new part of the tree or new group it will automatically receive the correct ssh keys and report back through logs and audit.