I have about 20 servers...how do I manage the SSH keys and permissions of each?

security unix networking linux permissions

I have database servers, web servers, SVN servers, etc. Often times I ssh among them...or they auto-ssh.

How do I manage what server gets to log into which others?


I use Puppet, and have a class defined for every key, then classes that include those classes to define the "groups" of keys I have (for us it's people -- so L1 techs, L2 techs, managers, developers -- but you can do db servers, fileservers, svn servers, etc). Then the various types of machines have their own manifests that define which of those groups have access to that type of machine, so development boxes have L1, L2, and developers, prod servers have L1 and L2, sensitive servers just have L2, that sort of thing. Adding a new machine is just a matter of deciding which classes it belongs to and adding a few lines here and there, which we have documented in our new machine commissioning procedures.


We are using OpenLDAP for storing users':

  • public keys
  • passwords
  • uids
  • sudo rights
  • real names
  • phone numbers
  • emails
  • and etc.

It's stable, easy to expand, has a lot of documentation and integration features, so I recommend it.

Related

Purpose behind subordinate Certificate Authorities
How to convert a Win2003 server to a Hyper-V Virtual Machine?
Check to see if a directory exists remotely (shell script)
Does using SSL cause a significant performance hit?
How do you manage passwords for a large number of servers?
Why is my Linux ICA client unable to use the "CTRL" key?
Why would sshd allow root logins by default?
Does kerbtray.exe not exist for windows server 2008
What does 192.168/16 mean? [closed]
dd vs. secure-erase for reconditiong SSDs
File store organisation
For file transfer, does ftp perform better than http?