sf-keys is a very special extension - the only one, that is not cloned to managed servers directly from the original repository. Instead, you are supposed to fork it and replace all gpg/ssh keys with your own ones. Then, url of your forked repository should be placed into scripts/functions.custom file in Server Farmer main repository.
When your farm will grow up, you will probably use multiple Server Farmer forked repositories, eg. main fork as the primary version (for most customers), and several separately fine-tuned versions to handle particular customers. All these forks can (and should) share the same sf-keys repository, which greatly reduces the error surface related to key management.
All ssh keys used by Server Farmer are stored in /etc/local/.ssh directory on farm manager, which is the main management server. Security of this server is absolutely critical, as anyone who can access it, can do literally everything with your whole network, as well as with all networks, servers, domains etc. managed for your customers.
To increase the overall security level, you can use master and slave farm managers, where master is the only one with management ssh private keys, while dedicated ssh private keys are copied to slave farm managers after generation.
Is ssh key used:
- in host setup phase, to attach new host to the farm and allow generating dedicated keys
- by main administrator (should be used only if dedicated keys are not available)
Is ssh key used:
- for passwordless ssh root access from farm manager after the setup phase (this key is generated automatically during setup)
- for transferring backups from managed server to backup collector (this key is also generated automatically, for
backupsystem user) - for other administrators and any other people that should have access to particular managed server
gpg/ - this directory contains all your gpg public keys
functions - this file should expose gpg_backup_key shell function:
- it is very important, that this file should work in standard
/bin/shshell, without requiring Bash gpg_backup_keyfunction should return either empty string, or gpg file name without.pubextension- key with returned filename (with
.pubextension) should be present ingpg/directory
ssh/ - this directory contains all your ssh public keys (including the one named id.default)
get-ssh-dedicated-key.sh - this script prints the full filename (including path) of dedicated ssh private key - in most cases, you shouldn't touch it
get-ssh-device-key.sh - this script prints the full filename of ssh private key used on MikroTik/Cisco network devices - default version of this script assumes, that all devices of given brand share one key, you can change this script if you want to use different key for each router
get-ssh-management-key-content.sh - important script - this script prints the contents of management ssh public key (as single line: ssh-rsa AAAAB3Nza..... root@host)
- this key will be attached to
/root/.ssh/authorized_keysfile - script takes one argument: hostname (so you can use many keys and choose the proper one based on hostname)
get-ssh-management-key.sh - important script - this script prints the the full filename (including path) of management ssh private key
- script takes one argument: hostname - printed private key should match the public key printed by
get-ssh-management-key-content.shscript - this key should never be disclosed to anyone, even other administrators
- if this script is executed on host without management key, it should instead print the full filename of dedicated ssh private key for given hostname - so other administrators are also able to use Server Farmer management tools, assuming that they have at least the dedicated key for particular host they want to manage
setup.sh - this script is re-executed each time Server Farmer setup is executed, and is responsible for:
- installing ssh management public key on current host in
/root/.ssh/authorized_keysfile - executing any custom logic you want to execute on all hosts in the farm