[Gllug] managing ssh access for many servers
JLMS
jjllmmss at googlemail.com
Fri Feb 26 00:48:27 UTC 2010
On Thu, Feb 25, 2010 at 11:36 AM, Oliver Howe <ojhowe at gmail.com> wrote:
>
> We have hundreds of linux servers, and more than 20 sysadmins.
> Currently the admins ssh to the servers (all are on a private network) as
> root and supply a password
> which is kept in a red folder.
> Now we are looking for a way of managing ssh access to the servers using
> keys instead of root password access.
>
> The main concern is to have a way of changing the public/private keys for
> all the servers on a regular basis and then distributing the private key
> to the sysadmins. Is puppet the best way to do this? Or how about skm
> http://sites.google.com/site/jeromeboismartel/news/ssh-key-management-with-skimp
> I would be very interested to hear how other people in large environments
> have their servers/keys admin access managed and opinions on the best way
> to do this.
> Thanks,
> Oliver
You don't distribute root's private keys.
Sorry, you simply should not, that is shoddy practice, no other way to slice it.
In the environments I have seen you have a couple of admin servers
that are highly secure, available to SAs only, nobody ever becomes
root at all there.
>From there the SAs ssh to the hosts they need, the servers they need
to access have the public keys corresponding to the accounts in the
admin servers which allows them to do whatever they need, in many
cases ssh is configured in force command mode to limit what people can
do remotely as root.
A select group of people (3 or 4 in networks of 3 or 4 thousand
servers) can actually become root in the administration servers and
access all other machines remotely at will, but even this is not
really necessary (SAs should talk to each other to troubleshoot
problems, reliance in a few wise people should be considered bad
security practice).
There are commercial products out there that try to deal with this
pain (e-DMZ PAR is a central password storage, people that need to
login as root need to be authorized by a central authority before
getting a one time root password which has an expiration time).
If you want a more general solution to SSH key management there is
Tectia SSH, which also manages host certificates, protecting your
network from man on the middle attacks.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list