identifying ssh trusts between multiple servers on a network
The problem:
We have many dev/qa/prod RH/Solaris servers with many accounts having ssh trust between them, including between servers in different environments (prod->prod, but also qa->prod). I know this is a bad practice, and the first step I'm trying to take to resolve it is to understand which accounts on which boxes can ssh to which other accounts on which boxes without a password.
My approach was going to be a shell script to log into a specified list of servers, and sudo
go through /etc/passwd file to get a list of all accounts and home directories, look at the latter for presence of .ssh
and id_rsa.pub
and/or id_dsa.pub
and authorized_keys
and output this information, per account per box, to stdout
on the machine running the script.
The fact that users can specify a key for ssh to use that is not the default is an acknowledged limitation. (I'm assuming that is not the case)
Then use the output to create an html page with JavaScript objects {username, machine_name, rsa_key, dsa_key, authorized_keys[]} created from the output above, and use JQuery (or similar) to display the hierarchy (how is tbd).
My question is, does something to address this kind of an issue already exist? And if not, any input on my approach would be welcome.
Solution 1:
Looks like you've got a good idea of what you are doing here. It's always a good idea to document what systems can connect to things without any passwords. It's not necessarily bad practice to do so, and in fact required to do some things, but you need to know how it all works if someone breaks into one of your servers - what else did they gain access to?
One place to look is the authentication log on all of your servers. This will tell you what keys are actually being used for current scripts/programs.
SSHd does tell you how the user logged in. In the logs you should see a line like:
Accepted publickey for automatedprocess from 123.456.789.012 port 12345 ssh2
Going through the logs and finding all the unique combinations of the server the log is on, the username, and the from address will show you which systems have been making use of those keys.
That may also give you a good starting place to see which ones aren't needed anymore, and which ones are used regularly by automated processes.