Managing/remembering servers, logins, passwords

snorlax · January 28, 2021, 11:41pm

I don’t have a lot of servers, just 2 on Digital Ocean, 2 at my house. But, it’s hard to remember all the IPs and passwords (by poor security they all use the same username). What do you guys use to store all this? Presently I’m using a .txt file that’s my notes about things, and it’s not named anything noticeable, and most of the notes in there are shorthand so that it’d be hard to search my PC and come up with the credentials. BUT, it’s not a great tool long term, it’s not even a great tool now.

How do you guys keep up with server IP addresses, SSH keys, SSH passphrases, what they run on each one, the misc passwords for each one, etc.? Thanks!

Oldschool · January 28, 2021, 11:53pm

I don’t run servers but your list seems to match what password managers do. They often offer different ways to store information (logins, notes, etc). I use Bitwarden and I added stuff not related to the computers like id and info of my car, id card numbers and such,… They’re very flexible

Ulfnic · January 29, 2021, 12:44am

~/.ssh/config lets you associate keys/accounts with separate ips/hosts so you only need to remember nicknames:

On password management that’s a personal choice based on what you need.

KeypassXC is usually a safe bet and you can work your way out from there if you need more.

# CentOS/RHEL, enable EPEL: https://fedoraproject.org/wiki/EPEL
sudo dnf install keepassxc # Fedora/CentOS/RHEL
sudo apt install keepassxc # Debian/Ubuntu
sudo zypper install keepassxc # OpenSUSE
sudo pacman -S keepassxc # Arch

Eltuxo · January 29, 2021, 6:44am

Yep, i store everything in a Keepass vault.
The only trouble i run into is this: i have serveral machines, all with their copy of the vault. If i update one, i have to copy that onto a thumb drive and put the updated copy on all the other machines.
I don’t know if it’s a good idea to have a single copy stored “in the cloud” somewhere, so i just go around with my thumb drive, every time there’s been an update.
Slight hassle though. If i forget to take the drive with me, i don’t have the update with me for that machine.

miety · January 29, 2021, 11:48am

To prevent this, you could sync it with your preferred webdav-provider: nextcloud, dropbox, googledrive or whatever you use.
I sync my keepass-db to all my clients with nextcloud.
Also i don’t use multiple ssh-keys for different servers, but one.

Eltuxo · January 29, 2021, 12:06pm

True, but this would imply that you’d store your vault in the cloud. I’m not a big fan of that.
On another topic, @marvkal recommended syncthing.
From the quick look i had just yet, it looks promising. I’ll give it a go this weekend and report back.

miety · January 29, 2021, 12:22pm

@Eltuxo: I understand your concerns regarding storing things in the cloud. But if its your personal/rented server, i don’t think, that this would be less safe than a self-hosted bitwarden{,-rs} instance.
I also think syncthing is a good alternative, it reminds me of BitTorrent-sync which also syncs files/folders between your hosts over a p2p connection.

@snorlax: You could also dedicate a separate dns-zone to assign dns-records to your servers. Some people can remember names better than numbers. I name my servers with their function + generation number with a subdomain. The FQDN of my hosts looks like this: ((mail|web|app|storage|etc)[1-9]).server.MYDOMAIN.com

snorlax · January 29, 2021, 6:50pm

Thanks all for the replies! I have used Bitwarden, hadn’t considered it for this. With 2 recommendations of Keepass, I’ll check that out also!
@miety, I don’t even know what those DNS zones are! Plus, I have 2 separate droplets, could I even do what you’re suggesting and connect via SSH? Meaning could I connect via

ssh username@storage1.nextcloud.mydomain.com?

Ulfnic · January 29, 2021, 9:11pm

@Eltuxo

If you want a quick solution you can deploy easily on your LAN for file sharing, i’d recommend Teleport.

It’s also in the Linux Mint repos.

https://flathub.org/apps/details/com.frac_tion.teleport
https://snapcraft.io/teleport

@snorlax

@miety’s solution sounds pretty epic. Depending on what you need you could just throw things into your bashrc or add them to your hosts file.

Ex:

nano ~/.bashrc
# Add to bottom:

archwiki='135.181.27.174'

# Save & quit
bash # Recognize the changes or open a different terminal

ping $archwiki

PING 135.181.27.174 (135.181.27.174) 56(84) bytes of data.

miety · February 1, 2021, 8:54am

@snorlax: If you have a domain under your control, you could seperate the DNS-settings, by assigning a subdomain to another (maybe selfhosted) or the same DNS-server. This would become a separate “zone”. You could alternatively assign a “sub-sub”-domain as an A Record for your server.

An yes, you could do this with ssh, if the A Records are set to the server-ip for this specific domain

Eltuxo · February 1, 2021, 10:46am

Short update: i’m roling out Syncthing. On my LAN, no problem. Now i’m in the process of getting it to work over the WAN.
This is looking promising.
Thanks for the tips everybody.

Eltuxo · February 2, 2021, 6:39am

I’ve done this: a veracrypt container, wich has the keepass vault in it.
Syncthing is working across different devices syncing the container. Problem solved.
For security reasons, i keep backups of these containers, which i regularly update.
@snorlax it works. Maybe you could go this route?

snorlax · February 3, 2021, 3:03am

I don’t know what Veracrypt is, I’ll take a look.

I like the Bitwarden solution; I’ve dabbled with it before but hadn’t considered it in that functionality. I could set it up in Docker.

I do like syncthing doing it for replication, and keepass for storing it. I’ll probably look at self-hosted Bitwarden and Keepass, then looking at a backup solution for that. Thanks!