KeyManager: admins management tool
What is it?
keymgr is a software package that facilitates the management of
individual logins for system administrators of Linux
servers. In contrast with traditional approaches, keymgr
implements a solution that is completely independent of remote
authentication services. Each admin user owns a unique ssh key
pair that he uses to login on each remote server. The head of
the system administration team manages a file that associates
each user to the servers he is allowed to login. keymgr puts the
keys together and deploys them on the servers.
In which scenarios can it be useful?
keymgr was developed for scenarios where:
- you don't want the remote login of system administrators
to depend of an external service, that may go down with the
rest of the system;
- you manage a large number of servers;
- system admin members come and go, what forces an update of
the root password on the servers whenever one goes;
How it works?
- System admins upload their ssh public key to a system
console
- keymgr uses a configuration file with the mappings of
users on servers to prepare lists of public keys to be
uploaded to each server and signs them with a private key
- keymgr uploads the lists of public keys to the servers,
using ssh
- A cron job on each server verifies the signature and
installs the admin's public keys
- The system administrators can now login on the server from
their desktop computers using ssh
Other features
keymgr was thought to be fairly simple to use and (hopefully)
secure.
- The number of password/passphrases required was kept at a
minimum. The upload of keys requires the typing of 2
passphrases, independently of the number of servers and users
involved.
- keymgr supports the update of the asymetric key pair used by
the console for signing the upload of new keys.
- The configuration file defines groups of users and servers,
making the addition and removal of both as simple as editing one
text file.
- It is possible to test a command before effectively using it
with Gentoo's like --ask and
--pretend arguments.
- The server side script makes a large number of configuration
tests and recommendations to simplify installation.
What are keymgr software dependencies?
keymgr was designed with the idea of keeping its
software dependencies to a minimum, in order to not interfere with
minimalist server installations. It was coded in bash and makes use
of the following tools:
- awk
- bash
- cut
- grep
- openssl
- sed
- ssh
- sudo
- one of rssh
or scponly
shells (for servers only)
Installation
Download the keymgr software bundle
(MD5 sum: f5d8ae33f230eb1c6b0f6d6682582222) and follow the instructions of
the README.txt file.
License, feedback, support and others
keymgr is made available under
the GNU GPL
License. Feel free to use and edit it.
Comments and suggestions are welcome. Contributions for
patching bugs or improvements are preferred.
Also, it will be good to know that this software is
useful. Send an e-mail
to
just to let us know how it is being used.
Change log
- Feb 23rd, 2015
- Published version 0.9