I have several remote developers and several servers on EC2. Is there a way I can centrally manage the authorized_keys file on EC2, rather than having to add keys manually on each server?
SnapOverflow
I have several remote developers and several servers on EC2. Is there a way I can centrally manage the authorized_keys file on EC2, rather than having to add keys manually on each server?
One option is to have a tiny instance set up, you provide all your developers access to this machine. They SSH into it, and the machine has an authorized ssh key that allows them access to all the other machines. You can then use firewalls on the machines to prevent SSH logins from other IP addresses.
Another option would be to setup something like Puppet, which would be able to manage the authorized_keys file for you.
Yet another option is to setup a script to rsync the authorized_key file over to all the hosts when it's changed on one machine. You could use something like lsyncd to automate this.
Keep in mind that just because you revoke a developers SSH key, does not mean you have removed any access they might have to that machine. A malicious person with SSH access might setup something like a reverse shell, or add various types of backdoors to the code they are working on.
I ended up adding back password authentication to SSH so I could just manage it with the user name and passwords on the server. Would be interested to see how other people approached this.
You can use LDAP, but you'll need to apply the OpenSSH patch and build it yourself. But you also get centralized account management as well.
If you manage to setup your base image to utilize itself as a Puppet client, you can make use of the ssh_authorized_key directive, or even manage a template file directly using the file type and pushing it to the
.ssh/authorized_keysfile.Puppet also includes utilities to manage provisioning through EC2, so you can really make it all a one-stop shop.
It's quite hard to manage keys to SSH into instances, and there are no easy solutions that come to my mind. Cloud management softwares such as RightScale and Scalr, solve this kind of problems. Scalr provides one-click SSH access to any of your instances using secure key access and lets you re-download keys if you lose them. Scalr is open source or available online through a hosted version.
PS: I work at Scalr
Userify.com manages user accounts, SSH keys, and sudo roles.
It's pretty easy to deploy using AWS's User Data (under the Advanced tab of instance launch) or stick it right in the UserData script for an autoscaling group or whenever you're launching an instance by hand, which is great because it works before you even log in. (Or you can just paste the one-liner into your server console, but that's not nearly as fun..)
It supports Chef and stuff like that, too, and each user (developer/admin/etc) gets his own web login to update keys. It's pretty painless.