2

I need to share SSH access to a number of servers with my teammates and looking for a secure way to do it. I came up with a configuration involving a SSH bastion server, but not sure how (and if) it could be done.

I want to have only one SSH key allowed per server, not one per user, so I do not have to update them all the time. Every user should have an access to the bastion server with his own ssh key. All the server private keys should be placed on a bastion server. Somehow they should be usable by all the users to login to servers, but not to read or copy.

So my question is can this be done and how?

ivangretsky
  • 141
  • 2
  • Don’t. Use this as yet another reason to get a configuration management tool such as Ansible. You should want unique accounts for every one of your users and with suitable tools creating both the accounts and deployment of a personal key becomes trivial. Shared accounts and shared keys are bad as they make it nearly impossible to hold people responsible for their actions and they usually don’t get updated once the team changes. – HBruijn Jul 25 '18 at 17:50
  • Thanks for your responce, @HBruijn. Could you suggest something to read about it? – ivangretsky Jul 25 '18 at 18:05
  • Bastion hosts aren't usually a good idea anyway. Better to use a VPN. Or IPv6, if you can. – Michael Hampton Jul 25 '18 at 18:29
  • I wanted to add that currently I am managing a bunch of shared hosting servers, that do have ssh, but do not allow to create unique accounts for users. – ivangretsky Jul 25 '18 at 18:32

2 Answers2

0

CLD project fit for these purposes https://github.com/classicdevops/cld

if you have any questions ask in the comment, i'll update post

Aleksandr Chendev
  • 456
  • 1
  • 9
0

I agree with the comment that this is a bad idea.

When you write "All the server private keys should be placed on a bastion server", I assume you don't refer to the actual server private keys, but to the private keys that are allowed for the servers in allowed_keys.

Anyway, to answer your question, you can run an ssh agent on your bastion host as some user and load all the keys into the agent. Normally the socket to access the agent is only available to the user starting the agent, but that can be changed later by chmod or chown. You can automate this on server startup. Later users can access the socket to the agent and the agent will provide the authentication to the server, but not allow the key to be copied. One problem is that a SSH server will only allow a limited number of tries with a key. If you have more servers than allowed tries, you need one agent for each server (or one agent each for a small enough group of servers).

Ansible has been suggested. Ansible is a great tool for configuration management, but you may consider it overkill to use it just for the keys. Look it up anyway, if you have a large number of servers you may find it useful for other tasks, too.

As each user should have access to the bastion server with his own ssh key, this means that on your bastion server there is an up to date authorized_keys file. So there is a simple solution, create a script like this and run it whenever that file changes. Drawbacks are it must be run as root to access the files from all users, and to remove access for a user you must truncate the file but not delete it.

for host in $HOST_LIST; do
    for user in $USER_LIST; do
        eval scp -p ~$user/.ssh/authorized_keys $host:~$user/.ssh/authorized_keys
    done
done

If you can connect all the servers to one LDAP server (or to secondary servers of your primary LDAP server), just have each user place their public SSH key in the LDAP directory and query that from the servers.

If that is not feasible and you don't like the script that copies each user's authorized_keys file, you can create one file that lists the user names and the SSH keys. Setup automated distribution of this file to the servers. The file doesn't have to be owned by root, so a dedicated user account for this will suffice. On all the servers once configure in sshd_config an entry AuthorizedKeysCommand with the name of a script that reads this file with all the keys and returns the key for the user trying to login. This script mst run as a user that has must have access to the file containing the SSH keys. You can make this file unreadable for your users, but that is not necessary since it only contains public keys, and they are not sensitive.

If you want individual SSH keys per user, but only one account, just setup automated distribution of the authorized_keys for this one account

for host in $HOST_LIST; do
    scp -p authorized_keys account@$host:.ssh/authorized_keys
done
RalfFriedl
  • 3,108
  • 4
  • 13
  • 17