Since we “eat your own dogfood” here at rPath, we do have IT using a Platform-as-a-Service model.
They maintain their own platform that contains all the bits required on all the systems, like a baseline. As a consumer of the platform, all I have to do is add my own software.
In this case, I was basing my Jira product on IT’s custom platform.
IT wants their standard SSH keys (for their own access, as well as for automated backups) on all their machines. But I also want SSH access (and my SSH key) on my appliance. Since one cannot share /root/.ssh/authorized_keys among multiple packages, Conary’s tag handlers to the rescue!
Foresight’s development branch now has an ssh-keys package that allows you to manage multiple sources for your ssh keys.
To manage your keys with Conary, all you need to do is drop your SSH public keys in /etc/ssh/keys.d/<username>/<somename>.pub within a Conary package that has a build requirement on ssh-keys:runtime (so that the file is properly tagged).
When the file gets installed, ssh-keys’ tag handler will append the file to the user’s authorized_keys file, thus granting you access.
Key removal is not yet done, although it would not be hard at all to implement.