Home / server / Questions / 392785
Accepted
usr-local-ΕΨΗΕΛΩΝ
Asked: 2012-05-26 12:34:13 +0800 CST

How do I set up SSH to allow 5 people log in to 100 Linux boxes with the same credentials?

  • 772

Suppose I have 5 users and 100 Linux machines with remote shell enabled. How do I set the environments up to allow these few users to log in to any of the machines with the same credentials?

ssh user-management

2 Answers

  1. Best Answer

    Set up LDAP domain

    By using an LDAP domain every authentication request to any machine is redirected to the domain controller. As far as I know, some Linux distros can join a Windows domain, if you have already one active. With this you have full centralized control over all the users in the network. You can add and remove users immediately from a single machine.

    Pros:

    • Easiest to maintain
    • Immediate effect of user management
    • Very useful and cheap if you have an already active domain in your company
    • Integrated with common domain management software (ie. if you use Windows)

    Cons:

    • If the LDAP controller is not clustered, that would be a single-point-of-failure, so you have to take into account more servers
    • (continued) The extra server(s) for LDAP and cluster makes the solution more expensive
    • Slightly difficult to set up if you don't have a domain controller already running
    • AFAIK you can't use public key authentication

    Distribute SSH keys from a centralized machine

    This is very useful when you want to use stronger authentication with public keys. You can upload all the users' keys on a single box that runs a Cron job scping the pubkeys to the correct home directories at certain time intervals

    Pros:

    • Fault tolerant. Any number of servers can crash but the available machines won't be affected
    • Easiest and cheapest to setup

    Cons:

    • If you have more than "five" users, ie. you are working on a large corporate network, user management is extremely difficult
    • (continued from above) user creation, deletion, etc. must be done for each server, usually with a script that replicates commands
    • Public keys are updated in delay if you don't manually run the script

    Mount the home directories in a shared network drive (NFS, SSHFS...)

    This has the advantage of real-time effects of modification of public keys (since they are always read from network share). Also, if you make /etc/shadow a symlink to a shared drive you have real-time user management from your controller

    Pros:

    • Not many except real-time modifications
    • Whole home directory is shared across servers (it often comes handy, believe me...)

    Cons:

    • Fault tolerant as the LDAP domain. You need to replicate the home directories or you cannot authenticate
    • Trickier than both the solutions to set up and maintain
    • 2

  2. Below is how a large organization does it with Puppet and SSH keys. The puppetmaster distributes the user accounts, ssh settings directory for each user, and sets a password for each user.

    http://itand.me/using-puppet-to-manage-users-passwords-and-ss

    This can be replicated in any config management system, not just Puppet.

    • 1