We have a team of 20+ interns that join and leave us every 3-6 months. They each have individual SSH logins setup on 10-15 shared AWS instances, some of which have been running for years, others run for a few days or weeks. Each time, we need the admin to create the instance and authorize the users and their keys, as well as set up their roles. When they leave, the admin manually deletes all users or in some cases only blocks the authorized keys to prevent SSH.
What is the best practice to be able to automate this user and SSH management for running instances? How can we audit our instances to ensure that a user does not bypass our SSH restrictions?
If you always have folks leaving & joining, and you care a bit about security you might want to consider multi factor authentication along with Teleport.
The 'cluster' concept in Teleport should let users automatically login to new hosts in a cluster with no intervention. You can also specify the duration of SSH keys and create/delete users across clusters easily.
Setting up Teleport could be as involved as using Puppet/Chef, so you might want to prepare & prioritize a list of your requirements & features before implementation.
LDAP/AD support is a paid feature of Teleport.
FreeIPA is likely to be what your are looking for. http://freeipa.org/page/Main_Page
It allows to manages hosts and users, set up expiration dates etc, all from a web interface.