I'm looking for advice on setting up a bastion host for my servers. I currently have 25 different boxes and each box has a unique key since they are shared among various users. I'm trying to find a way to simplify the management of these keys because handling 25 separate keys can be a hassle, and I also worry about security risks involved with relaying keys. Additionally, I want to rotate the SSH keys every three months and easily revoke access for contract workers who leave. Any suggestions on how to streamline this process?
4 Answers
We manage our users and keys with Ansible as well and make it pretty straightforward. When a user leaves, I just set their account to be absent. We only rotate keys if there's a security incident or if we need a different key type. If you're feeling overwhelmed, perhaps consider automating the process more. What specific challenges are you facing that make this feel like a pain point?
In my experience, I use Termix for accessing different environments, which helps me handle SSH keys more easily. If you find the process exhausting, I suggest exploring some open-source solutions that provide real-time management of keys. It sounds like you're looking for something more robust to simplify your workflow!
Managing 25 separate keys means you might want to look into automation tools like Puppet or Ansible to keep track of everything. They can help manage user accounts and keys more efficiently. Sure, it might seem like a lot of work at first, but these tools make it much easier to maintain security and accessibility.
Ansible is a solid choice for key rotation and management. For just 25 users, though, you might not need a super complex solution—especially if your requirements aren't particularly stringent. Personally, I'd recommend implementing multi-factor authentication (MFA) on the bastion host to enhance security. Something like Yubikeys paired with DUO could really streamline your SSH access too!
I'm not struggling too much, but I'm just hoping to find a reliable open-source tool that can help with real-time management like those big enterprise solutions. Any recommendations?