3

We have a growing collection of servers, both physical and virtual, which we need to login into. Login is usually with SSH, using an RSA key pair rather than a password (which is switched off in SSH settings). Right now we're setting our passwords and uploading our keys to each machine as the time comes, but that's accident prone. We could very easily miss a setting and end up with one of the team not able to log in, or leave password access switched on without realising it.

So we'd like to manage these credentials centrally. It should set passwords, upload public keys, ensure SSH has the right settings, and make it easy to add a new user or remove a user who has left.

I suppose a script to copy the right files into the right places would do, but seems messy when they're scattered across the system. How would you suggest we manage such credentials? It should be the minimum work possible to implement on each machine.

Marcus Downing
  • 778
  • 10
  • 18

2 Answers2

7

sounds like you want centralised configuration management. puppet, bcfg2, sprinkle, chef, or cfengine will likely be able to do this for you.

edit: cwebber is right though, ldap would avoid this problem in the first place, but youll still want something like puppet to make sure configs are otherwise correct.

Sirex
  • 5,447
  • 2
  • 32
  • 54
7

You may want to look at options such as kerberos. This way you are not even messing with keys persay and you can revoke them centrally at any time. Additionally, if you use LDAP for authorization, you can just add netgroups and it gets even easier to manager users.

cwebber
  • 491
  • 3
  • 7
  • I don't think LDAP or Kerberos are right. We're after a central place for managing logins, not a central login service. The difference is in the complexity, and the single point of failure. – Marcus Downing Mar 03 '11 at 17:27