Scale SSH access with Ansible
Pulkit Vaishnav (~pulkit) |
Description:
We all face problems in providing SSH access to the developers, it could be managing public keys of developers, updating authorized_keys file at servers and providing read-only (or full access) to limited developers. Have we ever think of solving this problem without updating all servers. It would be possible with SSH certificate-based authentication.
SSH access with public key based authentication requires copying public key on each host from the user, this approach doesn’t scale well. The certificate authority (CA) issues a certificate with a public key, copying the CA public key to every host remove the need to copy the user’s key on every host. For the validation of any user, CA uses an X.509 attribute of ssh-keygen to sign a user’s public key and generate a certificate. While signing a certificate we can specify a version, serial number, identity, validity and access level (principals).
There are alternative approaches to manage users using a central authentication system like LDAP or Kerberos. But centralize system has its own drawbacks. If the centralized system goes down you will lock out yourself from the system. For example: at the time of downtime from the service provider or DNS outage.
Here are some SSH CA features, which can increase security:
CA offers certificate validity using which we can create a certificate for a limited validity, every time a user needs access to generate a certificate and access will be revoked in some time. Role-based access can be provided using the principals (attribute of ssh config). Each user will have a unique identity using which we can track user’s activities. SSH CA is a very efficient and secure way to provide SSH access to users. Companies like Facebook, Netflix, Uber, Lyft are using this to provide access to the users by signing their public keys using CA.
Prerequisites:
Basic knowledge of SSH.
Content URLs:
Draft slides:https://docs.google.com/presentation/d/1o3JJdve-C--HJxhHzwXMkXyf74yNJOi7juVEn4phxQk
Github: https://github.com/moengage/easy_ssh
Video (Speaker @Rootconf): https://www.youtube.com/watch?v=Lqbtn0Gjnho
Speaker Info:
Pulkit Vaishnav is an enthusiast DevOps Engineer who is working towards building secure and scalable infrastructure @MoEngage. His experience also includes working with leading CDN partner (PacketZoom) serving billions request/day, working on hybrid infrastructure. He also co-founded Hashgrowth an App Store Optimisation platform to drive mobile app growth. Pulkit also likes to explore new technologies and when not working likes to travel, explore new food places and binge.
Speaker Links:
https://www.linkedin.com/in/pulkit-vaishnav-3215a385/
https://medium.com/@pulkitvaishnav