Now you have the Key Server installed you will want to start configuring access to some remote accounts.
This is in effect, mapping Key Server user accounts to the remote SSH accounts that you want them to be able to access. There are two ways to do this, centrally or remotely.
Before you do either, you need to install our integration scripts on the remote machine which is covered in the article Installing Synchronization Scripts
Centralized Configuration
With this type of configuration, you assign users directly to the remote account on the key server.
The integration scripts create a unique identifier for the machine which is combined with the remote user account name to create an assignable resource on the Key Server.
You can view the remote accounts on the Key Server by logging into the Administrative CLI and issuing the command:
remote-accounts
This returns output like:
Account Hostname
------- --------
root ks2
root www
If you do not see the remote account you want to assign users to, create it by logging into the remote account on the SSH server and running the following command:
keyserver-sync /root root
This will return nothing but it will have created the Remote Account resource on the Key Server. If you repeat the remote-accounts command you should find the account is now listed.
# remote-accounts
Account Hostname
------- --------
root ks2
root www
root mysql
You can now assign a Key Server user to the remote account
remote-assign-user root@mysql lee@jadaptive.com
Now that the Key Server user has been assigned to that account, they will be able to access the account via SSH public key authentication.
To make it easier to manage larger datasets you can alternatively assign the remote account to a Role. Assigning the Role means you only have to remove a user once to revoke access to many remote accounts. For example, you can create a Role with the following command:
# create-role SSH
Role SSH created
Then assign a user to that role
# assign-role SSH lee@jadaptive.com
Then, finally, assign the Role to the Remote Account
# remote-assign-role root@mysql SSH
Remote Configuration
You can also configure Key Server users on the remote account itself. The integration scripts work with a number of files in the accounts .ssh directory to determine access.
It will consult:
~/.ssh/authorized_users
Place the email addresses of Key Server accounts that you want to allow access to the remote account in this file. One email address per line.
~/.ssh/static_keys
Add any additional static keys you want to add when authorized_keys is updated. You might want to use this for a backup key in case the Key Server is not available.
The permissions on these files should not be GROUP or OTHER writable. If in doubt, chmod 600 on these files before running the synchronization tool.
There are also a number of command scripts installed to make configuration easier. For example, any user can authorize access to a Key Server account by executing the command:
auth-gateway-user --add <email>
To list all Key Server accounts currently allowed access to your account:
auth-gateway-user
To revoke access to your account:
auth-gateway-user --remove <email>
You can add a Key Server account that is allowed to authenticate as any user
auth-gateway-user --add --system <email>
Show all globally authorized Key Server accounts
auth-gateway-users --system
Remove a Key Server account from those allowed to authenticate as any user
auth-gateway-user --remove --system <email>
