Show HN: Automatic account and SSH access provisioning tool for server admins

Sorry to be another debbie downer, but this is not a good idea.<p>1. It's a huge security no-no. Much better would be having users run a daemon that polls for updates. At least that could <i>probably</i> be done while maintaining <i>some</i> semblance of security.<p>2. Admins don't need help with this, not really. Any competent admin will run Puppet (or Chef, or LDAP), which makes this stuff the most trivial thing you do.<p>I'd recommend a quick pivot (like let people run it themselves against their own servers) or just abort mission and chalk it up as a learning experience.

I personally don't feel comfortable using your service - too much of a security risk giving Databracket LLC unrestricted root access. I guess most other security-minded people would not feel at ease as well.<p>Having an agent running on the servers would be much better.<p>First, it will not require unrestricted SSH root access to the servers. Most of the servers don't allow root to login through SSH at all.<p>Second, an agent restricts the harm that could be done if somebody hacks their servers. This could be achieved with restrictions (specific commands, IP addresses) to the key that is added to root's authorized_key, but there is no mention of that in the FAQ or the other docs.<p>Third, firewall management - good luck convincing somebody to modify the firewall to allow connections to the SSH service on all of their servers. A restricted agent will be a much easier sell.

The idea is nice but the execution is flawed.<p>When teaching users new to Unix systems I tell them to guard the root password / anything that gives you root as closely as possible.<p>When securing systems you generally even want to disable root logins period.<p>I don't feel comfortable with giving a 3rd party credentials to my servers and I don't recommend others do the same.<p>A downloadable product is really where you want to be headed with this. I'm okay running putty or winscp where I get to have full control of whatever keys I put in.

"We require that you deploy our public key to your root account’s authorized_keys file so that we can provision users on your behalf."<p>That feels like a big requirement. What is the gain of using your UI/service over using puppet in-house and creating your own UI?

I'm not going to comment on the security of giving somebody an ssh key to your root account... But it's a good idea to look at something like puppet to do this.<p>Example: <a href="https://github.com/credativ/puppet-ssh-hiera" rel="nofollow">https://github.com/credativ/puppet-ssh-hiera</a>

$4 a month per server for a rsync script I could write myself combined with our existing ldap infrastructure? If it were a nice open sourced tool I would consider it but at hundreds to thousands a month I could never justify it to myself let alone my boss.

I can largely do all this with Ansible and it's flexible enough that I could probably get pretty close to being as easy as a good web UI. They devs behind Ansible are also working on Ansible Commander which will provide a UI. The UI will likely be the difference maker, so you should include screenshots so that I don't have to create a new account for yet another service I may never again log into.<p>The pricing probably doesn't reflect how people would use this. The free plan is basically just a way to see how it works as you wouldn't need something like this for just one server. Maybe you should increase the free plan to a few servers so that I could see how useful it might be.

Hello guys. Founder of <a href="https://commando.io" rel="nofollow">https://commando.io</a>. Commando.io is a web based interface to execute commands on remote servers over SSH. You can write commands in bash, perl, python, ruby, or even node.js. We seem to share some of the same ideas and vision. When you generate a public key in bastio.com do you also add a password to the key as well? I.E. if somebody were to compromise your server, they would need the SSH key password to SSH into other users servers?

I'm sorry, but LDAP does this on a much larger scale for free. Nice idea, however wrong way to go about it big time.

why on earth do you need remote shell access to the machine?!<p>it seems to me that a self-hosted solution (one-time fee or recurring license fee would be fine with me) would be ideal, otherwise i'd have to worry about security of not only my machines, but also yours. plus, i don't even allow root logins.<p>perhaps an agent model would provide good middle ground: provide a daemon that runs on the server and waits for account creation requests pushed from your service. these wouldn't be executable commands, but rather JSON or some DSL specifying account username, group, password, initial SSH key, skel, etc. a compromise of your machines wouldn't allow remote commands to be executed on your customers' machines (provided the daemon isn't exploitable).

No serious shop will use this. If you release it as an open source project, perhaps someone might find it useful. If they aren't using LDAP/Puppet/Chef/etc . Checkout freeipa.org and <a href="https://oss.gonicus.de/labs/gosa" rel="nofollow">https://oss.gonicus.de/labs/gosa</a> .

Hi, one of the creators here. We build this because we run our own machines and wanted a easier way to manage our OS user accounts and SSH keys across machines. We put together a beta service to do just that, and would love to hear what you think.

with a catchy domain like bastio, perhaps you should try pivot into doing something actually more useful like bastion host as a service w/ 2-factor openvpn authentication.

did you write your own valid email address checker regex? It doesn't follow <a href="http://tools.ietf.org/html/rfc5233" rel="nofollow">http://tools.ietf.org/html/rfc5233</a>