

Ask HN: How do you manage server access? - maverhick

We are working on a web project which requires 8 servers. Some are web, some middleware, some database. How to best manage SSH/Security Access?<p>What are the best ways to manage access to ensure security?<p>Team members join in, leave later. How do you manage access at an individual user level?  How do you make sure this does not get unwieldy as the no. of servers increase and the team members are transient?<p>Thanks
======
chuhnk
We've got 9-10 production servers. My methodology is allow what you want and
deny everything else. So with iptables specific ports are open for public
access and all else is dropped. For complete access to the servers we use
openvpn. OpenVPN is setup on one server in the production environment that
acts as a gateway to the rest of the servers. Only those with vpn keys can
gain access. Each developer is given a specific IP and access is restricted
through iptables based on what their requirements are. Knockd a port knocking
daemon is used as a way to open a hole in the firewall for 60 seconds to make
the connection to openvpn. I have a backdoor incase openvpn or knockd go down.
The great thing with openvpn is later on you can disable keys if need be. User
accounts are created across the servers for users however ssh keys are only
added to the specific servers they may need access to. No passwords, people
use insecure passwords, they can be cracked. SSH keys with 2048 bits work
nicely.

------
tipt0e
Use a centralized id solution, such as ldap or kerberos, or a combination of
the two. Both MIT and Heimdal kerberos implementations play nicely with
OpenSSH. There is also a patch available (somewhere) for OpenSSH to allow one
to put their SSH public keys into an LDAP directory.

