2

Possible Duplicate:
A system for distributing SSH public keys

Need help managing developer authentication on our system. We have multiple CentOS servers (database, Web, Redis, etc.), and it is important to be able to control access to them in a centralized, (hopefully) simple manner. What we use right now is the authorized_keys file, where we copy the key data from the keys our developers have generated. This, however, is not so scalable and flexible, since we need to update several servers whenever someone enters / leaves the team.

One possibility we have available is to have a centralized file that gets copied to every server, before doing an sshd restart. I am interested, however, in finding out if there is a better pattern or alternative way of doing this, before I invest the time implementing that.

What is the usual pattern for authenticating several users, particularly in a multi-server environment? Bonus points for a solution that also lets us define some sort of role, to encapsulate access (i.e. front-end developers may not need to access the database servers, as a very contrived example).

Thanks very much!

Community
  • 1
Juan Carlos Coto
  • 677
  • 2
  • 6
  • 13
  • http://serverfault.com/q/117072/126632 – Michael Hampton Feb 01 '13 at 17:06
  • Not a duplicate as the question is not how to copy keys, it is how to authenticate. Copying keys is not good in many enterprises. Another option is a centralized radius server and pam-radius. You can use freeradius (perhaps with openldap) and you can even tie in AD using the MS radius plugin NPS. An HR person can then disable a user without being an admin on your Centos Servers. here's a link on [link](http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to) pam radius. – nowen Feb 05 '13 at 18:41
  • Userify can manage those accounts with centralized administration but local authentication. – fatal_error Nov 25 '16 at 23:13

1 Answers1

1

I'll preface by saying that I don't administer a lot of Linux machines. Nearly all of my Customers have Active Directory, and I have had good success using pam_krb5 to authenticate SSH users against AD using Kerberos. Presumably you could deploy your own Kerberos infrastructure (in lieu of Active Directory) to accomplish something similar.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331