A Complaint is a Gift

Shep Hyken interviews Janelle Barlow, award-winning customer service and experience speaker, consultant, and author of A Complaint Is a Gift: How to Learn from Critical Feedback and Recover Customer…

Smartphone




SSH key rotation

SSH Key rotation! More Saturday morning fun.

In some circles ssh key rotation is terrifying and considered a massive headache. In security circles the lack of key rotation is a ripe target to compromise and hack ALL the things.

How do we solve this?
Well you can write a bash script that is going to go through a list of hosts and then do an `ssh-copy-id` to each host, but this is not going to invalidate the old keys it is just going to dd the new ones. Only solving half of the issue. None the less for the initial setup of the solution this command is pretty nice so here it is.

Lab setup:

Needed are, SSH keys already setup on each of the hosts that you are going to change.
Ansible running on your laptop, which is where we are going to ssh from.
Ansible inventory of the hosts with the shared ssh key.
— for my lab Iam using a bunch of physical raspberry pis, because I like them and it makes me feel like a tiny mad scientist having a mini cluster of pi’s running on my desk. There were days that I would rather have a beowulf cluster of machines running but hey you gotta make do.

Here is an inventory example — simple enough

Great we have an inventory and our ssh key on each of the hosts. Lets say hello world to our hosts to make sure the lab is configured

Great it worked, next lets change the key and hope to not break everything.
We are going to create an ansible playbook with a few tasks in it. First task is to generate a new ssh-key locally at our new location.

Next we will have a task that takes our new keyfile and pushes it to the hosts, using an exclusive property. The exclusive property is important because without it, we can retain the old keys. If we wanted to have multiple keys deployed we can do multiple steps, the first being the exclusive push and then appending our keys as we go without having exclusive set.

Finally we have two steps to move the newly generated keys to our super secret archive, I have not worked this one out yet but cleanup is needed somewhere. Currently it is trying to run multiple times, and its a bug right now.

Lets fire it up and change some keys!

It worked! We rotated keys and we are more secure than we were an hour ago!!!

Add a comment

Related posts:

Shake hands with India Udhyog and lead in the B2B industry

India Udhyog is an e-commerce platform that integrates business-to-business and business-to-consumer modules to help vendors, buyers, and consumers. The India Udhyog is an initiative that tries to… Read more