Hey everyone! I'm looking for insights on how to manage admin authentication for our Linux servers in a primarily Windows-based organization. We currently have about 15-20 Linux servers that were set up manually over the years by various people, resulting in different methods for SSH access: some servers use a shared admin user with an SSH key, some are joined to the Windows domain via Winbind, and others allow direct root login with a password.
Most of these servers are running an outdated version of Debian, and as the designated 'Linux guy', I finally have the chance to rebuild them properly. As I write playbooks to standardize the configuration, I've hit a snag regarding remote admin access. I want every admin to log in with their own accounts for accountability.
I've considered a few possible solutions:
1. Set up local accounts and SSH keys for each admin on every server, but this means losing the central management benefits of Active Directory.
2. Use SSH certificates, but viable implementations seem limited and costly.
3. Implement Kerberos, which would let us reuse existing Windows credentials, but involves complications with connectivity to domain controllers for some internet-facing servers.
I'd love to hear how companies with similar setups approach this issue! What are your suggestions?
4 Answers
Definitely look into storing users' public SSH keys in Active Directory. I set up a system where the Linux machine does an LDAP query for a 'Notes' field to check for matching keys, and it works perfectly.
Red Hat suggests using Realmd for this type of integration. Even if you're not a Linux admin, it might still be applicable for your needs.
Using realmd and sssd can make things a lot simpler than it used to be. With this setup, you can also incorporate some sudo access for more control. It's definitely worth considering if you're looking for ease.
You might want to check out PAM modules, which can authenticate against Windows servers for SSH and other services easily, giving you a solid integration.
Actually, AD has a specific attribute for storing SSH public keys, so using the Notes field isn't necessary at all.