Struggling with SSH key management

Hi all,

I’m about a week away from deploying a Business Unit to AWS and I’ve been puzzling over this problem for a while. I’ll lay it out for you.

We have about 20 people who will need varying levels of access to different systems. I don’t want to allow them to share keys, but I also don’t want to have to manually add pubkeys to authorized_keys.

Ideally, a solution would exist where there’s some sort of PAM that authenticates the user’s key against an external key management server.

Part of the problem is that this deployment will quickly scale up to 5000 instances and that’s going to be impossible to manage manually.

Anyone have any ideas?

If it’s all Linux you could deploy FreeIPA to manage it. It may or may not fit any requirements you need for authentication.

2 Likes

That might work. I’m going to read up on it.

Ansible can copy ssh keys if that helps: https://docs.ansible.com/ansible/latest/authorized_key_module.html

1 Like

It’s definitely an option that I was aware of.

This will let you do HBAC, 2FA, Kerberos, etc. if required without the need to manage keys across all the systems themselves.

That’s basically what I was looking for. Let’s just hope I can build an AMI with this integration and call it a day.

As suggested Ansible is really awesome for basic SSH key management a big pro for me is the ease of disaster recovery. I’ve run solutions like samba AD before and while it was generally rock solid rebuilding from scratch was always somewhat of a hassle. If it was only a medium sized deployment going the Ansible way would probably be great but in your case having a true identity management solution like FreeIPA available might be better.

I’ve also been keeping an eye on solutions like Aker but at the moment I would not describe it as production ready but it might be great for future integration with FreeIPA.

2 Likes

Hmm, it’s looking like a pretty good solution.

I’m going to keep an eye on this one.