Being in touch with unixoid servers I quite know my way around SSH. It’s as important as your daily dose of water to be able to authenticate to servers via the SSH protocol.
However, a SSH-environment isn’t known to be easy when it comes to maintenance. And being a security protocol, that’s quite a pity.
A nice way of authenticating users is the use of a public/private key-pairs either using RSA- or DSA-encryption (with DSA being the better one). And using password-protected SSH-Keys easily enables you to use 2-factor-authentication.
All public keys of users granted to log on as a specific user on a specific host are inside a file called „authorized_keys“ in the directory „.ssh“ under the user’s home-directory.
If you only have some hosts and some users it’s easy to maintain such environment by manually keeping track which users have access to which users on which systems.
However, if you have to manage a park of 300 systems and varying users, that is quite a task.
As I wasn’t able to find a decent, working tool to manage such environment, I wrote my own and dug out my [[http://www.djangoproject.com|Django-knowledge]] from ages ago. I found Django quite nice for that task, as it is really quite powerful and easy handling easy database tasks (which is most of the work needed for such management application). For the UI I used the [[http://html5boilerplate.com|HTML5Boilerplate-template]] and some handcrafted css.
The application is called **skd** (simple key distribution) and is available on it’s [[http://dploeger.github.com/skd/|Github-Page]]. It’s not completed right now and in Alpha-stage. But you can try it on development servers to get an overview. And you can watch the project on github to be notified, when a first version is released.
**skd** organizes hosts and users with keys in groups and binds a hostgroup to a usergroup to grant access to all users in the usergroup to all hosts in the hostgroup.
Thus you could create a usergroup called „DMZ-administrators“ and a hostgroup called „DMZ-hosts“, put all DMZ-Administrators and -hosts into the groups and bind them together to quickly distribute all keys to these hosts.
And if you remove one user from a group and reapply the key is removed from all hosts in just one click.
There are still some things to do. So if you know Django and python, I’m happy to accept some pull requests.