Open supertylerc opened 7 years ago
authenticating user1 to servers as user2 is not standard approach, may I know the rationale here please ?
It could be a legit approach : you've got 10 sysadmins, and 20 devs.
On the target, you have users "root" and "dev". On your bastion, you have two groups :
We loose the logs on the target (who logged in) but we have it on the Aker gateway. And since we record every command, we've got our asses covered ;)
I would rather opt for a subsection in the JSON :
"hosts": [{
"name": "web1.ipa.example",
"hostname": "web1.ipa.example",
"port": "22",
"key": "~/.ssh/id_rsa",
"accounts": [
{"username": "root", "groups": [ "sysadm" ]},
{"username": "dev", "groups": ["sysadm", "devs"]}
]
}
It would also permit to only put one ssh-key on the target servers : the one from the Aker gateway. Removal of one user from the central auth would remove all accesses without having to remove the user key.
Des it make sense ?
Cheers
@cowreth your request makes sense in the abstract for sure,but impersonating users is not the best approach IMHO.
Rather elevate users privileges using sudo configs, Aker is fully compatible with Freeipa which provides centralized sudo rules and works on almost all Linux distros, Freeipa is like active directory for Linux.
I prefer such approach to maintain proper logging, monitoring and alerts etc..
Sure, and totaly agreed ;)
I've got an other example : infra where you have 2000+ servers with dozens VLANs. You'll probably need dozens of IPAs. And distributing keys on the servers (and mgmt too) can be a pain too. Using the standard accounts and/or accounts created at the provisionning can be usefull in this case.
But no worry, I fully understand (and kinda support) your vision on that point !
When it comes to distribution of keys, that's the beauty of Freeipa, you don't need to, everything is centralized, users, ssh keys, otp etc...
Your point about different vlans is valid for sure, however I think it can be considered in a later phase. Right now the aim is to make Aker scalable to handle thousands of servers effecitntly
Currently, I must specify a username for a host in
aker.ini
. This is a convenient feature in some scenarios, but it would be nice if Aker would default to the user's username for the connection and optionally allow the user to specify a different username if he or she wanted.As an example, consider the following:
Given this configuration, Aker should connect to
10.0.0.1
as the usersupertylerc
because a more specific user isn't defined on that line. For192.168.0.1
, though, the more specific useradmin
is specified, so Aker should connect to192.168.0.1
as that user.