

Ask HN: Best Ideas or Links for SSH User/Key Management for Groups? - jqueryin

I work at a relatively small development agency. Every so often we have somebody that parts ways; We have to tie up all loose ends in regards to account access, SSH public keys, etc. Is there any intuitive web interfaces or CLI apps for maintaining user access control (primarily SSH, but suggestions welcome) to a number of different machines?<p>I myself have used groups internally, but it still entails me remoting into the box to revoke access. It'd be nice if there was some unified way to revoke access across multiple machines.<p>Thanks!
======
jqueryin
Some more digging netted me some positive results for using Puppet:

[http://itand.me/using-puppet-to-manage-users-passwords-
and-s...](http://itand.me/using-puppet-to-manage-users-passwords-and-ss)
[http://serverfault.com/questions/58790/how-can-i-have-
puppet...](http://serverfault.com/questions/58790/how-can-i-have-puppet-
deploy-ssh-keys-for-virtual-users)

------
jqueryin
I've also got to quickly add that there's often scenarios where we have SSH
access to client machines that are entirely out of our control. We might have
limited access (i.e. no sudo/su). This scenario is the more difficult of the
bunch for me to wrap my head around resolving.

------
Duff
To avoid the inevitable errors that turn into security problems, you need to
either use a network-based authentication mechanism or limit ingress into the
network to a single point to reduce the number of things that you need to
touch.

------
JoachimSchipper
'AllowGroups ssh-users' locks out anyone not in the group ssh-users (notably,
including any test accounts you may have misconfigured). You'll have to do
_something_ with the account anyway, so...

There are various ways of central access control (modern SSH has certificates;
Kerberos works too), which may also help here. But that's probably overkill
for your issue.

------
ichverstehe
Use a VPN. Make that the only point of entry, and whenever somebody departs,
you only have to revoke access to the VPN. Here's a decent OpenVPN guide:
<http://code.mixpanel.com/openvpn-in-the-rackspace-cloud/>

------
nodata
If your public keys are properly named in the authorized_hosts file, then you
would just use sed to remove the relevant keys.

If you don't want to do that, any centralised user management system would
allow removal of the user from the allowed ssh group, and adding a VPN layer
is good too.

