I work at a relatively small development agency. Every so often we have somebody that parts ways; We have to tie up all loose ends in regards to account access, SSH public keys, etc. Is there any intuitive web interfaces or CLI apps for maintaining user access control (primarily SSH, but suggestions welcome) to a number of different machines?<p>I myself have used groups internally, but it still entails me remoting into the box to revoke access. It'd be nice if there was some unified way to revoke access across multiple machines.<p>Thanks!
Some more digging netted me some positive results for using Puppet:<p><a href="http://itand.me/using-puppet-to-manage-users-passwords-and-ss" rel="nofollow">http://itand.me/using-puppet-to-manage-users-passwords-and-s...</a>
<a href="http://serverfault.com/questions/58790/how-can-i-have-puppet-deploy-ssh-keys-for-virtual-users" rel="nofollow">http://serverfault.com/questions/58790/how-can-i-have-puppet...</a>
I've also got to quickly add that there's often scenarios where we have SSH access to client machines that are entirely out of our control. We might have limited access (i.e. no sudo/su). This scenario is the more difficult of the bunch for me to wrap my head around resolving.
To avoid the inevitable errors that turn into security problems, you need to either use a network-based authentication mechanism or limit ingress into the network to a single point to reduce the number of things that you need to touch.
'AllowGroups ssh-users' locks out anyone not in the group ssh-users (notably, including any test accounts you may have misconfigured). You'll have to do <i>something</i> with the account anyway, so...<p>There are various ways of central access control (modern SSH has certificates; Kerberos works too), which may also help here. But that's probably overkill for your issue.
Use a VPN. Make that the only point of entry, and whenever somebody departs, you only have to revoke access to the VPN. Here's a decent OpenVPN guide: <a href="http://code.mixpanel.com/openvpn-in-the-rackspace-cloud/" rel="nofollow">http://code.mixpanel.com/openvpn-in-the-rackspace-cloud/</a>
If your public keys are properly named in the authorized_hosts file, then you would just use sed to remove the relevant keys.<p>If you don't want to do that, any centralised user management system would allow removal of the user from the allowed ssh group, and adding a VPN layer is good too.