Need a way to manage SSH keys in a juju environment.

+1

Thanks,

Juan

Please consider the use of the ssh-import-id utility, which is part of every Ubuntu cloud image, and is tightly integrated into cloud-init. By default, it securely retrieves public SSH keys from Launchpad.net, but that's configurable and it can retrieve those from anywhere.

I kind of doubt that a large proportion of our users have launchpad accounts with SSH keys attached. Assuming that would put a pretty big burden on users to sign up for LP, and would disallow disconnected operation.

Whats needed is to have a set of CLI commands to do CRUD ops on an environment's list of SSH keys that are allowed to be used in the environment, and let the agents put them in place.

FYI, this feature was asked for on askubuntu.com as well:

http://askubuntu.com/questions/98588/juju-and-keys-for-multiple-administrators/100121#100121

As a workaround for not having this, a subordinate charm can be used.

The basic gist would be:

* sub charm has config option for allowed SSH keys
* deploy/relate it to all nodes
* juju set my-ssh-keys authorized_keys=`cat /the/true/lsit`

The config-changed hook can then update all machines' ssh keys to the ones given in authorized_keys.

The only trouble here is you will have to manually update the key on node 0, *or* deploy a dummy service to it with "placement: local" which can then have the my-ssh-keys subordinate related to it.

Let's please not add a core feature for this before the Go port is live.

gustavo @ http://niemeyer.net
On Apr 26, 2012 12:16 PM, "Clint Byrum" <email address hidden> wrote:

> As a workaround for not having this, a subordinate charm can be used.
>
> The basic gist would be:
>
> * sub charm has config option for allowed SSH keys
> * deploy/relate it to all nodes
> * juju set my-ssh-keys authorized_keys=`cat /the/true/lsit`
>
> The config-changed hook can then update all machines' ssh keys to the
> ones given in authorized_keys.
>
> The only trouble here is you will have to manually update the key on
> node 0, *or* deploy a dummy service to it with "placement: local" which
> can then have the my-ssh-keys subordinate related to it.
>
> --
> You received this bug notification because you are a member of juju
> hackers, which is the registrant for juju.
> https://bugs.launchpad.net/bugs/834930
>
> Title:
> Need a way to manage SSH keys in a juju environment.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/834930/+subscriptions
>

Any chance of this one seeing some love? I personally can't currently deploy servers because of it (they come up with a set of keys which doesn't include mine), nor can our organization revoke a compromised key.

Seems like this isn't released in Trusty yet.

Also added task for juju-gui, as this should have GUI support too, to be attractive for the users.

+1 on adding to GUI. Priority-wise I think it goes after a decent chunk of other goals, but it definitely fits into what we've said we want the GUI to accomplish, and if we see a way to fit it in quickly hopefully we can.

This bug was fixed in the package juju-core - 1.17.3-0ubuntu1

---------------
juju-core (1.17.3-0ubuntu1) trusty; urgency=medium

  * New upstream point release (LP: #1271941, #834930, #1240667, #1274210):
    - https://launchpad.net/juju-core/trunk/1.17.3
 -- James Page <email address hidden> Mon, 24 Feb 2014 09:19:55 +0000