Why?
User management is boring and tedious, it comes down to one thing, someone you trust needs to get access to your servers. What do you do? SSH for loop FTW! And what about when you stop trusting that person? Yeah... and when you have utility computing everywhere doing that loop a couple times a day or even through a configuration management tool is not worth the trouble.
Instead use SSH Certificates they allow you to configure a server for trusting signed user SSH keys. It will allow you to:
- Sign them for specific time period
- Revoke them
- Option to share 1 account or give each user their own account
- Great for vendors, contractors, etc...
- Great for machine access like nagios and others
- Can force commands without the problem of SFTP chroot, etc..
- Can lock the signed key to specific hosts and where the hosts are being accessed from
How to get a key signed
Command line client that interfaces with Fenton Server, which eases SSH Key Management.
$ fenton key sign
Signing public key.
Enter public key to submit (/home/nictrix/.ssh/id_ecdsa.pub):
Signed user key
ID: 'Nick Willever'
Serial: 7003768346854646072
Principal: ubuntu
Valid Between: 2013-10-19-11:02:15 PM - 2013-10-20-12:17:15 AM
(/home/nictrix/.ssh/id_ecdsa-cert.pub)
$ ssh ubuntu@<server>
(this assumes you have a running instance of fenton server-api)
Basics of SSH Certificates
- Create a CA private & public key
- Add the CA public key to the server that is needing to be accessed (update /etc/ssh/sshd_config)
- Sign the user's public ssh key with the CA private key (creates a file -cert.pub)
- They can now ssh with their private key because of the *-cert.pub file