[SOLVED] Is it possible to set up trusted ssh-certificate (NOT ssh-public-key) for Cloud-Init image?
- Thread starter hishnik
- Start date
Provide your own cloud image with the changes you want. This is common practise to ensure the best integration in your infrastructure.
In general, there are so many things that you want to customize in an image tailored to your infrastructure, so that you end up building and providing the images yourself. This can be done in any CI environment and automatic on every change in the GIT leading to the image or security updates in the background. We do this for many years and yes, it is a little bit of work in the beginning, but after automation every new OS version is a minor change and you're good to go. We also have our own local mirrors for fast install, provide our own additional packages and configuration files and then customize again on VM provisioning.
Thank You for the answer.
It just looks strange for me that ssh-public-key is available in standard debian 11 cloudimage, but no ssh-certificate, which is much more scalable.
I already have read some docs and going to build my own image with options needed.
I have to say that I have never heard of it until reading your post today and it makes total sense in big environments with a lot of changing keys, but it does not solve the problem with the distribution of the CRL, or does it?
So in the end it does not matter what keyfile I update (authorized_keys or CRL), I still have to do it. We built our own package infrastructure for .deb and .rpm including a ssh key distribution, so that we can just install new keys via autoupdates. I'm planning to add the SSH cert part and ship the crl with it.