How do I set up SSH to allow 5 people log in to 100 Linux boxes with the same credentials?

Suppose I have 5 users and 100 Linux machines with remote shell enabled. How do I set the environments up to allow these few users to log in to any of the machines with the same credentials?


Set up LDAP domain

By using an LDAP domain every authentication request to any machine is redirected to the domain controller. As far as I know, some Linux distros can join a Windows domain, if you have already one active. With this you have full centralized control over all the users in the network. You can add and remove users immediately from a single machine.

Pros:

  • Easiest to maintain
  • Immediate effect of user management
  • Very useful and cheap if you have an already active domain in your company
  • Integrated with common domain management software (ie. if you use Windows)

Cons:

  • If the LDAP controller is not clustered, that would be a single-point-of-failure, so you have to take into account more servers
  • (continued) The extra server(s) for LDAP and cluster makes the solution more expensive
  • Slightly difficult to set up if you don't have a domain controller already running
  • AFAIK you can't use public key authentication

Distribute SSH keys from a centralized machine

This is very useful when you want to use stronger authentication with public keys. You can upload all the users' keys on a single box that runs a Cron job scping the pubkeys to the correct home directories at certain time intervals

Pros:

  • Fault tolerant. Any number of servers can crash but the available machines won't be affected
  • Easiest and cheapest to setup

Cons:

  • If you have more than "five" users, ie. you are working on a large corporate network, user management is extremely difficult
  • (continued from above) user creation, deletion, etc. must be done for each server, usually with a script that replicates commands
  • Public keys are updated in delay if you don't manually run the script

Mount the home directories in a shared network drive (NFS, SSHFS...)

This has the advantage of real-time effects of modification of public keys (since they are always read from network share). Also, if you make /etc/shadow a symlink to a shared drive you have real-time user management from your controller

Pros:

  • Not many except real-time modifications
  • Whole home directory is shared across servers (it often comes handy, believe me...)

Cons:

  • Fault tolerant as the LDAP domain. You need to replicate the home directories or you cannot authenticate
  • Trickier than both the solutions to set up and maintain

Below is how a large organization does it with Puppet and SSH keys. The puppetmaster distributes the user accounts, ssh settings directory for each user, and sets a password for each user.

http://itand.me/using-puppet-to-manage-users-passwords-and-ss

This can be replicated in any config management system, not just Puppet.