1

We have a team of 20+ interns that join and leave us every 3-6 months. They each have individual SSH logins setup on 10-15 shared AWS instances, some of which have been running for years, others run for a few days or weeks. Each time, we need the admin to create the instance and authorize the users and their keys, as well as set up their roles. When they leave, the admin manually deletes all users or in some cases only blocks the authorized keys to prevent SSH.

What is the best practice to be able to automate this user and SSH management for running instances? How can we audit our instances to ensure that a user does not bypass our SSH restrictions?

Jedi
  • 408
  • 1
  • 5
  • 19
  • 1
    Does your organization use a configuration management tool like puppet/chef/ansible? If so, then just include the ssh authorized key file in the management, so you update it once and it pushes to every other server. – Doug Skinner Jul 02 '16 at 00:35
  • We don't but we could consider adopting it if the learning curve isn't too steep and it is easy to configure rules for individual instances and AMIs. – Jedi Jul 02 '16 at 00:37
  • 1
    Puppet may be a bit too much just for ssh management, however I would consider looking into it in the future. For right now [ansible](https://www.ansible.com/configuration-management) may be your best bet, as it only requires openSSH access on all the servers. You can set it up to run a script that ensures all servers on the list have the same copy of the authorized keys file. Which means you just update the file and run the ansible command and all ssh access is taken care of. – Doug Skinner Jul 02 '16 at 00:49
  • Looks like a good case for OpenLDAP. Did you check it? http://serverfault.com/questions/653792/ssh-key-authentication-using-ldap – Putnik Jul 02 '16 at 06:23
  • Here we use packages (_e.g._ `.deb`, `.rpm`) of the employee SSH keys, and a cron script (on each instance) which updates those packages daily. A re-build/re-publish of the package with added/removed keys keeps things up to date. – Castaglia Jul 06 '16 at 22:12

2 Answers2

2

If you always have folks leaving & joining, and you care a bit about security you might want to consider multi factor authentication along with Teleport.

The 'cluster' concept in Teleport should let users automatically login to new hosts in a cluster with no intervention. You can also specify the duration of SSH keys and create/delete users across clusters easily.

Setting up Teleport could be as involved as using Puppet/Chef, so you might want to prepare & prioritize a list of your requirements & features before implementation.

LDAP/AD support is a paid feature of Teleport.

Community
  • 1
Not Now
  • 3,532
  • 17
  • 18
  • Thanks for the answer. We're going to try Teleport soon. For now, we've baked in a cron job on our AMIs to load a list of users and authorized_keys from S3 and copy it in place. – Jedi Jul 10 '16 at 18:27
0

FreeIPA is likely to be what your are looking for. http://freeipa.org/page/Main_Page

It allows to manages hosts and users, set up expiration dates etc, all from a web interface.

jmary
  • 119
  • 5