I've been exploring the use of SSH certificates for authentication and I'm struggling to understand the mapping between users and principals. My main concern is that it complicates logging and auditing for actions taken by different users. For instance, if I have users 1 to 5 all using the 'www' principal to access production servers, it becomes impossible to tell who made which changes after they log in. I'd prefer to have logs that show individual actions, like 'user x made a change' rather than just 'www made a change.' It seems like having a one-to-one mapping between users and principals would be more straightforward for tracking. How does the many-to-one mapping actually enhance security?
5 Answers
You're spot on about the auditing issues. When everyone logs in as 'www', it muddies the command history. Many-to-one mapping is useful mainly for managing access across large fleets of servers, but it should ideally map certificates to personal accounts. This way, actions done as 'www' can be tracked in the sudo logs instead, ensuring you have a clear audit trail.
Using a generic user isn't following basic security protocols. Individual accounts should be used for logging into systems, especially for tasks that require tracing actions. In a well-designed setup, credential management and SIEM systems should log everything, allowing you to review activity and maintain security without ambiguity.
You can resolve your auditing issues by configuring your SSH certificates with identifiable names using the `-I` option when you create your key. That way, even when logging as 'www', the identity will still show up in your logs, which helps in differentiating users during tracking if needed. It won't solve everything, but it's a step in the right direction.
Yes, the issue you raise is quite common, but it really boils down to best practices. Ideally, you want a one-to-one user-to-principal mapping with identifiable credentials. It tends to make auditing much clearer, as the majority of systems I've seen prefer this method over the many-to-one setup for the sake of accountability in logs.
Using shared accounts like 'www' for multiple users can be problematic. It's generally not recommended because it blurs accountability. A better approach would be to have everyone log in with their own accounts and then switch to a higher privilege account as needed. This way, you'll maintain individual audit trails since actions taken under the 'www' account can be viewed through the original user account.
That's what I do too! I log in with a basic user account and then switch to a different one to perform administrative tasks. It really helps keep things organized and trackable.
Interesting! But I've noticed that tutorials often show many-to-one mapping. Is that how organizations typically do it in a real-world scenario?