ssh secret server

I wanted to set up a n2n vpn and the way n2n works at this point participation in any given requires that you configure the three things, one of which is a password.  Which means that if you want to ostracize a participant to whom you have previously given these facts you need to change one or more them.  That is inconvenient since it effects everybody in current installed base.

This is a tractable problem if you set up the installed base correctly from the start.  If each participant fetches the n2n configuration using ssh and his identity you your all set.  Just set up an ssh persona (<mr_config_provider@myvpn.example.org>) that provides the configuration when asked and add all participant identities to Mr. Config’s authorized_keys.  Then when it comes time to remove a participant you change the configuration and remove that participant’s ssh key from the set of authorized keys.  Presumably you’d also use the “command=…” feature of ssh’s authorized keys.

Of course in the case of n2n using rotating key files and a cron job to fetch and trigger their reload into the edge is probably a better approach.  But this problem, how to get adhoc secrets distributed to community members, comes up a lot.

Leave a Reply

Your email address will not be published.