On Fri, Sep 18, 2009 at 10:29:54AM -0400, bofh wrote: > Hi, > Just wanted to see how you guys manage authorized_keys. I'm trying to > move everyone off "legacy" protocols onto openssh, and one of my > proposals will involve using authorized keys for scripts/automated > processes. > > There's 400+ unix boxes. I know we can stick keys into > authorized_keys, but managing it for a bunch of automated processes > seems a bit unwieldy. Is there any way of pointing to an external > source, say, ldap? > > Thanks for any pointers!
In the present enironment I work in we have about 120 boxes and about 15 people that can run around as root for various tasks. To meet corporate requirements for tracking which sysadmin is doing what we have kerberos 5 in the environment and manage admin logins through centrally managed .k5login files and gssapi. For key based access to privileged accounts we have to, by corporate policy, lock down each authorized key to a specific host and features such as interactive login and port forwarding are disabled. On the down side, it's a PITA. On the up side, we have a strong incentive to keep the simplest trust graph possible. The nastiest web we have is about 17 accounts that need ssh access to two accounts. In that case the server that is sshed to is using a restricted shell. We're sure a determined cracker could compromise our scheme but 1) The gaping obvious holes with more disgruntled employees mucking with them are the web apps we host. 2) You know that recent theregister article about how more outtages are the result of incompetence rather than malice... the apps we host suffer from that problem. > -- Sandhurst officer cadet evaluation. > "Securing an environment of Windows platforms from abuse - external or > internal - is akin to trying to install sprinklers in a fireworks > factory where smoking on the job is permitted." -- Gene Spafford "Securing Windows NT: Wire Cutter or Thermite?" > learn french: http://www.youtube.com/watch?v=30v_g83VHK4 > -- Chris Dukes
