top | item 16145992

(no title)

Using a sc like yubikey is great for security, but has performance implications for parallel tasks like salt-ssh across a bunch of hosts. Yubikey can only handle a single thing at a time, and is a touch slow, so if you are using salt-ssh to run a command on multiple servers, and if that salt-ssh happens to use GPG to decrypt pillars, then you're going to be waiting hundreds of times longer than you would using the vanilla, parallelizable ssh agent and scdaemon-free gpg-agent.

discuss

pastage|8 years ago

I use GPG signed tar balls for that, mostly it's just to run scripts on multiple servers, but also useful for file transfers. You still have to fix secure transfers between hosts but you do not authenticate the connecting clients, but your client just need to verify host keys to protect against MITM. Works on pretty large installations.

I started doing it like this when I only had Debian machines, and just used apt and Deb archives, but I never could find the time to hack Apt to be a perfect fit for it and it ended up being hell on other OS.