Define or rotate ssh keys

Why do I need to deliver an ssh key to my edge devices?

ssh keys play a crucial role in managing devices. They can be used to set up passwordless ssh access as well as increase security. In many remote access scenarios over port 22 a valid public ssh key on the device allows a lot of additional functions such as port forwarding and other features. If you have new users coming into an organization or you want to increase security it can be very important to add or rotate ssh keys.

qbee can do any of the following:

  • define one or more ssh key for any user
  • revoke ssh keys by overwriting
  • define specific ssh keys for a device or a group of devices
  • update ssh keys on a large number of devices
  • rotate ssh keys

Here is how you create an ssh key

This tutorial explains how to create a public-private ssh key pair on your machine.

Implications of state based ssh key management

qbee works state based. The agent request a configuration from the server and converges to that state. This means that if any user, program or process changes the ssh keys the qbee agent will restore them according to configuration the next time it runs. This gives a certain amount of increased security and proactively prevents deviations in the managed infrastructure. In addition this state will be valid until it is changed. Thus devices that are offline will receive the change the next time they come online. Even spare parts that might have been in a storage for 3 years will immediately pick up the ssh keys from the group they get associated to while old ssh keys are overwritten and will not exist on the device anymore.

The keys can be defined in "Configure -> ssh keys.

!qbee-rotate-ssh-keys

If new keys are committed this will be recorded in the audit log and it can be seen how they propagate through the infrastructure in the log tab. Here a detailed description of which device received the keys at which time is given. If your agent run interval is 5 minutes then all devices in your infrastructure will receive a new key within 5 minutes, no matter how many devices you manage.

Summary

qbee allows to easily change or rotate ssh keys. Offline devices will receive the ssh key the next time they connect online. If a device is moved to a new part of the tree or new group it will automatically receive the correct ssh keys and report back through logs and audit.