Re: managing authorized_keys

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Chris Dukes

Date: Monday, September 21, 2009 - 8:01 pm

On Fri, Sep 18, 2009 at 10:29:54AM -0400, bofh wrote:
quoted text> Hi,
> Just wanted to see how you guys manage authorized_keys.  I'm trying to
> move everyone off "legacy" protocols onto openssh, and one of my
> proposals will involve using authorized keys for scripts/automated
> processes.
> 
> There's 400+ unix boxes.  I know we can stick keys into
> authorized_keys, but managing it for a bunch of automated processes
> seems a bit unwieldy.  Is there any way of pointing to an external
> source, say, ldap?
> 
> Thanks for any pointers!

In the present enironment I work in we have about 120 boxes and about
15 people that can run around as root for various tasks.
To meet corporate requirements for tracking which sysadmin is doing
what we have kerberos 5 in the environment and manage admin logins through
centrally managed .k5login files and gssapi.

For key based access to privileged accounts we have to, by corporate
policy, lock down each authorized key to a specific host and features
such as interactive login and port forwarding are disabled.
On the down side, it's a PITA.  On the up side, we have a strong incentive
to keep the simplest trust graph possible.

The nastiest web we have is about 17 accounts that need ssh access to 
two accounts.  In that case the server that is sshed to is using a restricted
shell.

We're sure a determined cracker could compromise our scheme but
1) The gaping obvious holes with more disgruntled employees mucking
with them are the web apps we host.
2) You know that recent theregister article about how more outtages
are the result of incompetence rather than malice... the apps we host
suffer from that problem.

quoted text> -- Sandhurst officer cadet evaluation.
> "Securing an environment of Windows platforms from abuse - external or
> internal - is akin to trying to install sprinklers in a fireworks
> factory where smoking on the job is permitted."  -- Gene Spafford

"Securing Windows NT:  Wire Cutter or Thermite?"

quoted text> learn french:  http://www.youtube.com/watch?v=30v_g83VHK4
> 

-- 
Chris Dukes

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

managing authorized_keys, bofh, (Fri Sep 18, 7:29 am)

Re: managing authorized_keys, John Jackson, (Fri Sep 18, 9:37 am)

Re: managing authorized_keys, Lars Nooden, (Fri Sep 18, 9:53 am)

Re: managing authorized_keys, Lars Nooden, (Fri Sep 18, 10:08 am)

Re: managing authorized_keys, Han Hwei Woo, (Fri Sep 18, 10:16 am)

Re: managing authorized_keys, Martin Schröder, (Fri Sep 18, 10:30 am)

Re: managing authorized_keys, bofh, (Fri Sep 18, 10:32 am)

Re: managing authorized_keys, Matthew Dempsky, (Fri Sep 18, 11:47 am)

Re: managing authorized_keys, Bret S. Lambert, (Fri Sep 18, 11:59 am)

Re: managing authorized_keys, Martin Schröder, (Fri Sep 18, 12:10 pm)

Re: managing authorized_keys, jul, (Sat Sep 19, 5:02 am)

Re: managing authorized_keys, Joachim Schipper, (Sat Sep 19, 5:44 am)

Re: managing authorized_keys, Janne Johansson, (Mon Sep 21, 12:40 am)

Re: managing authorized_keys