top | item 20312165

Ask HN: How do you provide SSH access to developers in your infrastructure

2 points| prodicus | 6 years ago | reply

I am curious about how do you do it, keeping in mind

- different teams having access to only those boxes which belong to that team

- providing ssh access without hand smashing the server.

- revoking ssh access for someone as and when required.

Would also be interested to know of possible ways to do the above.

4 comments

[+] devm0de|6 years ago|reply

Use aws identities and policies to control ssh access to ec2 instances https://aws.amazon.com/about-aws/whats-new/2019/06/introduci...

Has some quirks but might be useful for companies using ec2 instances.

[+] verdverm|6 years ago|reply

"gcloud compute ssh instance-name" and "kubectl exec ..." with IAM

I am still surprised that AWS has not created the same experience as GCP. the instance connect from the co-comment is an improvement, but requires install on each server and client, plus an extra step when you want to connect.

[+] stephenr|6 years ago|reply

Use ldap as your centralised auth, add a schema extension for ssh public keys, configure sshd/pam/nss to use ldap (and the keys contained therein) for users/auth.

Use groups or a host attribute in ldap to manage access to specific servers or groups of servers.

Bonus: you can manage sudo access from ldap too.

[+] vs4vijay|6 years ago|reply

Have you looked at Netflix's BLESS: https://github.com/Netflix/bless