1

I am currently have multiple users accessing multiple customer servers with ssh access (which all only allow access from our public office IP). This kind of gets annoying if a new employee enters the company or just the team or leaves the team or the organisation. Another problem is that servers change ownership depending on their stage (development, operations).

So best case would be if I update the authorized keys every time something changes in a scripted way thought Ansible for example.

The thing is that I want to rely on the internal Active Directory users and group memberships, so when a user changes teams (and groups) or leaves the company (gets deactivated) those changes happen automatically. But those servers would need access to the AD server, which is internal only, then. So that's not really an option as I do not want the AD port in the internet.

Therefore I wanted to have something like a reverse bastion/jump host (or ssh gateway), which sits in our office networks DMZ and from which the users can connect to the customers ssh server. The jump host would have access to the AD to authenticate and authorize the users if they are in the correct group which is needed for a customer server he wants to connect to.

I found something similar (SSH access gateway for many servers) to this, but it does not solve two problems: - no AD integration - no separation between teams

jcrosel
  • 111
  • 1
  • I have found something like that in https://www.ezeelogin.com, but I am not completely convinced about that solution. Does anyone have experience with it or can recommend something to solve this problem? – jcrosel Apr 30 '19 at 11:17

2 Answers2

1

Check out open source CLD software, it solve that problem: https://github.com/classicdevops/cld

if you have any question feel free to ask in the comment, i'll update answer

Aleksandr Chendev
  • 446
  • 9
0

Consider SSH Certificate Authentication, with per customer signing keys.

However, it is a separate PKI to implement (not x.509). You would need to design how to distribute and revoke keys. And if you want to integrate it with a directory.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • Thank you very much for that input, never heard of that possibility. But a signed ssh certificate would allow access to all servers with in the CA trust, or am I wrong? So how would I be able to limit access to certain servers based on groups? I understand that I would be able to expire their keys if they left the company or a team, but how do I would I only allow access to a limited range of servers? – jcrosel May 02 '19 at 08:03
  • I see that's done by principals. There are several implementations for this like CASSH and others, but I think a real solution would be using Hashicorp Vault in my point of view. – jcrosel May 02 '19 at 10:18