I'm trying to understand how to effectively handle user management across a large number of Linux servers—specifically more than 500. Currently, we're using a config management tool to push out user accounts and SSH keys directly to these machines instead of utilizing a directory service, which feels overwhelming. I'd love to hear more detailed approaches to this, especially concerning Active Directory (AD) integration, SSH key management, and any experiences related to performance or security issues. How do others handle these aspects?
1 Answer
We use SSSD configured to directly bind to AD, and it's been working quite well for us. We manage sudoers and access permissions through AD groups. For deploying users and keys, we rely on a mix of local scripts and Ansible playbooks, which run on newly imaged Linux systems. It's not fully automated, but it gets the job done effectively.
Do you have a strategy for SSH key revocation? If an employee is no longer with the company, how do you ensure their access is terminated?