Assume the User's Name for the Username

aker-gateway / Aker

SSH bastion/jump host/jumpserver

Other

567 stars 81 forks source link

Assume the User's Name for the Username #21

Open supertylerc opened 7 years ago

supertylerc commented 7 years ago

Currently, I must specify a username for a host in aker.ini. This is a convenient feature in some scenarios, but it would be nice if Aker would default to the user's username for the connection and optionally allow the user to specify a different username if he or she wanted.

As an example, consider the following:

[supertylerc]
hosts = 10.0.0.1,22
    192.168.0.1,22,admin

Given this configuration, Aker should connect to 10.0.0.1 as the user supertylerc because a more specific user isn't defined on that line. For 192.168.0.1, though, the more specific user admin is specified, so Aker should connect to 192.168.0.1 as that user.

anazmy commented 7 years ago

authenticating user1 to servers as user2 is not standard approach, may I know the rationale here please ?

cowreth commented 6 years ago

It could be a legit approach : you've got 10 sysadmins, and 20 devs.

On the target, you have users "root" and "dev". On your bastion, you have two groups :

Sysadmins, they connect to root@target
Devs, they connect to dev@target

We loose the logs on the target (who logged in) but we have it on the Aker gateway. And since we record every command, we've got our asses covered ;)

I would rather opt for a subsection in the JSON :

"hosts": [{
  "name": "web1.ipa.example",
  "hostname": "web1.ipa.example",
  "port": "22",
  "key": "~/.ssh/id_rsa",
  "accounts": [
     {"username": "root", "groups": [ "sysadm" ]},
     {"username": "dev", "groups": ["sysadm", "devs"]}
  ]
}

It would also permit to only put one ssh-key on the target servers : the one from the Aker gateway. Removal of one user from the central auth would remove all accesses without having to remove the user key.

Des it make sense ?

Cheers

anazmy commented 6 years ago

@cowreth your request makes sense in the abstract for sure,but impersonating users is not the best approach IMHO.

Rather elevate users privileges using sudo configs, Aker is fully compatible with Freeipa which provides centralized sudo rules and works on almost all Linux distros, Freeipa is like active directory for Linux.

I prefer such approach to maintain proper logging, monitoring and alerts etc..

cowreth commented 6 years ago

Sure, and totaly agreed ;)

I've got an other example : infra where you have 2000+ servers with dozens VLANs. You'll probably need dozens of IPAs. And distributing keys on the servers (and mgmt too) can be a pain too. Using the standard accounts and/or accounts created at the provisionning can be usefull in this case.

But no worry, I fully understand (and kinda support) your vision on that point !

anazmy commented 6 years ago

When it comes to distribution of keys, that's the beauty of Freeipa, you don't need to, everything is centralized, users, ssh keys, otp etc...

Your point about different vlans is valid for sure, however I think it can be considered in a later phase. Right now the aim is to make Aker scalable to handle thousands of servers effecitntly