|
We're currently running a growing deployment in Amazon Web Services for our software. Right now we use a centralized SSH key (WTF YOU GUYS) to login to hosts in our VPC. I'm investigating more secure and manageable ways to do this. What I'd like to do is have everyone create an SSH key pair and control access with an authorized_keys list to these instances. Has anyone ever done anything like this? The internet is pretty sparse on best practices and ideas on how to accomplish this. Here is what I'm thinking will be the best solution: 1.) Have all the users create key pairs for their username in all the environments they have access to. 2.) Make sure users have an IAM role that allows them to SSH to the servers through the VPC and Bastion host 3.) Setup some sort of puppet script (which we run hourly on all of our EC2 instances) which maintains the authorized keys list This would make it easy to maintain the authorized_keys list and create something manageable for our DevOps team when a new user is added/leaves the company. If this worked in a pilot situation it would be pretty easy to automate out the puppet side of things I'm pretty sure.
|
# ? Aug 27, 2014 13:54 |
|
|
# ? Jun 8, 2024 09:25 |
|
Virigoth posted:We're currently running a growing deployment in Amazon Web Services for our software. Right now we use a centralized SSH key (WTF YOU GUYS) to login to hosts in our VPC. I'm investigating more secure and manageable ways to do this. What I'd like to do is have everyone create an SSH key pair and control access with an authorized_keys list to these instances. Has anyone ever done anything like this? The internet is pretty sparse on best practices and ideas on how to accomplish this. Why aren't you using an ldap server to centralize user information? You can store the public key info in that fairly simply. http://itdavid.blogspot.co.uk/2013/11/howto-configure-openssh-to-fetch-public.html
|
# ? Aug 27, 2014 14:23 |
|
That is another option we're considering. I'm just a tester who was asked to look at this as an outside eye so I won't(Hopefully) do any of the implementation on this. JumpCloud is a service we were looking at to do the LDAP stuff for us.
|
# ? Aug 27, 2014 15:34 |
|
I've been using JumpCloud at work, their new LDAP offering is promising, other than the $10(?) per machine pricing, but running a utility server would run in the $100+ range anyways (with time spent maintaining stuffs). Even with JumpCloud or key distribution vis LDAP or CM based user setup unless you are using Amazon Linux you will need to setup a new base image with init scripts setup for that by default (so no need to share a SSH key for deployment). IAM wouldn't be used for the user logins, you may need it for poking holes in your VPC (if you use VPN + PAM on your Bastion server).
|
# ? Aug 27, 2014 17:14 |
|
Virigoth posted:That is another option we're considering. I'm just a tester who was asked to look at this as an outside eye so I won't(Hopefully) do any of the implementation on this. JumpCloud is a service we were looking at to do the LDAP stuff for us. It's too late, you've already been nominated to implement this fully.
|
# ? Aug 27, 2014 17:38 |
|
Having a CM system like puppet push out authorized_keys files is a pretty standard way of solving the problem.
|
# ? Aug 27, 2014 18:30 |
|
|
# ? Jun 8, 2024 09:25 |
|
Stanley Pain posted:It's too late, you've already been nominated to implement this fully. Yes.
|
# ? Sep 3, 2014 18:29 |