Very interesting project, I've been confronted with this kind of problem (managing SSH access for a large number of users) several times and don't think there's a perfect solution for it yet.
An alternative (but also imperfect) solution that I've relied on in the past is using certificate-based authentication:
This still requires the generation of certificates for users but it doesn't require updating the key material on the servers themselves. Having short-lived user certificates then gives the admin an easy way to revoke access to a server without changing any keys there by simply not issuing a new certificate to the user (and in urgent cases to also revoke the certificate as well before it expires, which requires intervention on the server though).
I really hope that OpenSSH keeps improving their (still largely incomplete) PKI implementation, as I think it's a great feature for larger organizations.
FreeIPA - I wish more people knew about this. You can tie a public SSH key to a user (users can also self-register them) and it is automatically recognized on all hosts joined to the IPA domain, if you want to limit who has access to what the integrated RBAC facilities are there to handle that as well.
We (Foxpass, https://www.foxpass.com/) are a YCS15 company offering a SaaS (or on-prem) service to handle SSH key management & rotation, plus user and group management.
With our API, some customers are creating dynamic access rules (for example, an on-caller might have 'sudo' during their on-call week, but not at other times).
Genuine question: what functionality does this provide that e.g. Ansible doesn't?
With Ansible, one can put the SSH keys into a .yml file in a format that is very similar to the examples in the OP, then the authorized_key module can be used to ensure that the key is present (or absent) on the remote servers. It's really-really trivial.
Maybe the difference is that you can paste the SSH key into the CLI instead of a file... hm.
You're much better off using AuthorizedKeysCommand as vertex-four suggested, and ditch passwords completely. It just needs to return the SSH public key of the login user. You can get that from any backend you like. If you have an LDAP server, great. But it doesn't have to be anything fancy; you could pull the user's key off a web server!
Distributing accounts and SSH keys via any configuration management system is clunky by comparison, and scales badly when you get to many hundreds of users and thousands of servers.
Nice. I do the same, with Saltstack. I manage all my users' access, including account creation and removal, password setting, and key management. Easy peasy.
If you’re in AWS, wouldn’t SSM agents on instances be preferable to SSH access? That provides for both access control (IAM for user access, SSM documents for constraining command execution authority) and auditing/logging of executed commands (CloudTrail).
This does not work for interactive terminal use cases, but does work (in my experience) if you’re targeting immutable instances. It also has the lovely side effect that you can create scheduled tasks within the AWS control plane (if that’s your cup of tea).
Slightly off-topic: I've seen a few references to the Asterix A38 scene in open source projects recently and it always seems to be a sure sign the developers are german. Is this actually a german-only thing?
It resonates highly with the kind of bureaucracy that Germans have to put up with.
Therefore it wouldn't surprise me if this scene is most popular with Germans and others nationalities only regard it as a funny, exaggerated sequence. Whereas for Germans it hits close to home.
No idea but I'm dutch and this used to be one of my favorite movies, so it could also have been a dev from the Netherlands. I love indeed how it describes bureaucracy but I used to really love that Chef that keeps bringing food enthusiastically.
Permit A38 refers to a scene where the protagonists are referred multiple times within a overly beaurocratic Roman administrative office, so it has become sort of synonymous with a Sysiphean task in German language (at least in limited circles).
[+] [-] ThePhysicist|8 years ago|reply
An alternative (but also imperfect) solution that I've relied on in the past is using certificate-based authentication:
https://www.digitalocean.com/community/tutorials/how-to-crea...
This still requires the generation of certificates for users but it doesn't require updating the key material on the servers themselves. Having short-lived user certificates then gives the admin an easy way to revoke access to a server without changing any keys there by simply not issuing a new certificate to the user (and in urgent cases to also revoke the certificate as well before it expires, which requires intervention on the server though).
I really hope that OpenSSH keeps improving their (still largely incomplete) PKI implementation, as I think it's a great feature for larger organizations.
[+] [-] snuxoll|8 years ago|reply
[+] [-] manigandham|8 years ago|reply
They apply BeyondCorp style management for both server and web access.
There is also Teleport by Gravitational: https://gravitational.com/teleport/
[+] [-] mjlee|8 years ago|reply
Along with something like Packer to bake the cert right into the image.
[+] [-] aren|8 years ago|reply
With our API, some customers are creating dynamic access rules (for example, an on-caller might have 'sudo' during their on-call week, but not at other times).
Like a hosted FreeIPA, but more powerful.
[+] [-] sz4kerto|8 years ago|reply
[+] [-] sz4kerto|8 years ago|reply
With Ansible, one can put the SSH keys into a .yml file in a format that is very similar to the examples in the OP, then the authorized_key module can be used to ensure that the key is present (or absent) on the remote servers. It's really-really trivial. Maybe the difference is that you can paste the SSH key into the CLI instead of a file... hm.
[+] [-] jmcnulty|8 years ago|reply
Distributing accounts and SSH keys via any configuration management system is clunky by comparison, and scales badly when you get to many hundreds of users and thousands of servers.
[+] [-] lima|8 years ago|reply
Ansible is perfect for deploying SSH keys.
[+] [-] mdekkers|8 years ago|reply
[+] [-] tr0ut|8 years ago|reply
[+] [-] tptacek|8 years ago|reply
https://code.facebook.com/posts/365787980419535/scalable-and...
If you're in AWS, you can also look at Bless, which is Lambda-hosted and mints short-lived certificates with a command-line client:
https://github.com/Netflix/bless
[+] [-] toomuchtodo|8 years ago|reply
This does not work for interactive terminal use cases, but does work (in my experience) if you’re targeting immutable instances. It also has the lovely side effect that you can create scheduled tasks within the AWS control plane (if that’s your cup of tea).
Example SSM client: https://github.com/itsdalmo/ssm-sh
Disclaimer: I’m implementing this in a large enterprise environment.
[+] [-] xg15|8 years ago|reply
[+] [-] bhaak|8 years ago|reply
Therefore it wouldn't surprise me if this scene is most popular with Germans and others nationalities only regard it as a funny, exaggerated sequence. Whereas for Germans it hits close to home.
[+] [-] teekert|8 years ago|reply
[+] [-] recentdarkness|8 years ago|reply
[+] [-] TomK32|8 years ago|reply
[+] [-] edem|8 years ago|reply
[+] [-] AdrianoKF|8 years ago|reply
Permit A38 refers to a scene where the protagonists are referred multiple times within a overly beaurocratic Roman administrative office, so it has become sort of synonymous with a Sysiphean task in German language (at least in limited circles).
[+] [-] Mave83|8 years ago|reply
[deleted]