[RndTbl] Hey security guys!
sean at ertw.com
Thu Mar 20 14:20:47 CDT 2014
Use chef/puppet/ansible/fuckingshellscripts.org and distribute individual
keys to the appropriate user accounts. Then you can manage
keys/sudo/centralized auth much easier.
On Thu, Mar 20, 2014 at 1:38 PM, Kevin McGregor
<kevin.a.mcgregor at gmail.com>wrote:
> We have a pile of Linux servers here at work. We'd like to set up the
> shared keys to simplify admin via SSH. Here's the thing (quoted from an
> email I received):
> We are thinking of putting public/private ssh keys on all of our Linux
> The purpose of this is so that our central admin server can "do stuff' on
> all of our servers without needing a password. We are wondering how far to
> go for convenience.
> Below are restrictions that we can place on the key pair (there may be
> others, but these are the ones of which I'm aware). Have a look at each
> restriction and consider whether we should use the restriction or not.
> Basically it would be most convenient to have none of the restrictions.
> · We can create a password on the key pair
> o This would defeat the whole purpose of using the key pair to avoid
> · We can limit which user can run things on the target machine
> o Most likely, we would install the public key for the user root
> (therefore things would run as user=root)
> · We can limit what commands can be run on the target machine
> o We would like to leave this wide open so we can run anything remotely
> · We can limit the source machine that can initiate remote
> commands (ie - commands can only come from the admin machine)
> o It would be nice to not have this limit as we could move the private
> key onto other machines (eg a VM on your desktop) to be able to run things
> o The downside is that if anybody gets the private key, they can do
> Note that firewalls should prevent people from the internet trying to
> connect to ssh.
> [Comments, anyone? - Kevin]
> Roundtable mailing list
> Roundtable at muug.mb.ca
Sean Walberg <sean at ertw.com> http://ertw.com/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Roundtable