Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Locked thread
Virigoth
Apr 28, 2009

Give me the axe.
We need more guts.


We're currently running a growing deployment in Amazon Web Services for our software. Right now we use a centralized SSH key (WTF YOU GUYS) to login to hosts in our VPC. I'm investigating more secure and manageable ways to do this. What I'd like to do is have everyone create an SSH key pair and control access with an authorized_keys list to these instances. Has anyone ever done anything like this? The internet is pretty sparse on best practices and ideas on how to accomplish this.

Here is what I'm thinking will be the best solution:
1.) Have all the users create key pairs for their username in all the environments they have access to.
2.) Make sure users have an IAM role that allows them to SSH to the servers through the VPC and Bastion host
3.) Setup some sort of puppet script (which we run hourly on all of our EC2 instances) which maintains the authorized keys list

This would make it easy to maintain the authorized_keys list and create something manageable for our DevOps team when a new user is added/leaves the company. If this worked in a pilot situation it would be pretty easy to automate out the puppet side of things I'm pretty sure.

Adbot
ADBOT LOVES YOU

jre
Sep 2, 2011

To the cloud ?





Virigoth posted:

We're currently running a growing deployment in Amazon Web Services for our software. Right now we use a centralized SSH key (WTF YOU GUYS) to login to hosts in our VPC. I'm investigating more secure and manageable ways to do this. What I'd like to do is have everyone create an SSH key pair and control access with an authorized_keys list to these instances. Has anyone ever done anything like this? The internet is pretty sparse on best practices and ideas on how to accomplish this.

Here is what I'm thinking will be the best solution:
1.) Have all the users create key pairs for their username in all the environments they have access to.
2.) Make sure users have an IAM role that allows them to SSH to the servers through the VPC and Bastion host
3.) Setup some sort of puppet script (which we run hourly on all of our EC2 instances) which maintains the authorized keys list

This would make it easy to maintain the authorized_keys list and create something manageable for our DevOps team when a new user is added/leaves the company. If this worked in a pilot situation it would be pretty easy to automate out the puppet side of things I'm pretty sure.

Why aren't you using an ldap server to centralize user information? You can store the public key info in that fairly simply.

http://itdavid.blogspot.co.uk/2013/...tch-public.html

Virigoth
Apr 28, 2009

Give me the axe.
We need more guts.


That is another option we're considering. I'm just a tester who was asked to look at this as an outside eye so I won't(Hopefully) do any of the implementation on this. JumpCloud is a service we were looking at to do the LDAP stuff for us.

Dr. Jackal
Sep 13, 2009


I've been using JumpCloud at work, their new LDAP offering is promising, other than the $10(?) per machine pricing, but running a utility server would run in the $100+ range anyways (with time spent maintaining stuffs).

Even with JumpCloud or key distribution vis LDAP or CM based user setup unless you are using Amazon Linux you will need to setup a new base image with init scripts setup for that by default (so no need to share a SSH key for deployment).

IAM wouldn't be used for the user logins, you may need it for poking holes in your VPC (if you use VPN + PAM on your Bastion server).

Stanley Pain
Jun 16, 2001

Bit. Trip. RIP.


Virigoth posted:

That is another option we're considering. I'm just a tester who was asked to look at this as an outside eye so I won't(Hopefully) do any of the implementation on this. JumpCloud is a service we were looking at to do the LDAP stuff for us.

It's too late, you've already been nominated to implement this fully.

Ninja Rope
Oct 22, 2005

Wee.


Having a CM system like puppet push out authorized_keys files is a pretty standard way of solving the problem.

Adbot
ADBOT LOVES YOU

Virigoth
Apr 28, 2009

Give me the axe.
We need more guts.


Stanley Pain posted:

It's too late, you've already been nominated to implement this fully.


Yes.

  • Locked thread