Now you have the Key Server installed you will want to start configuring access to some remote accounts.
This is in effect, mapping Key Server user accounts to the remote SSH accounts that you want them to be able to access. There are two ways to do this, centrally or remotely.
Before you do either, you need to install our integration scripts on the remote machine which is covered in the article Installing Synchronization Scripts
With this type of configuration, you assign users directly to the remote account on the key server.
The integration scripts create a unique identifier for the machine which is combined with the remote user account name to create an assignable resource on the Key Server.
You can view the remote accounts on the Key Server by logging into the Administrative CLI and issuing the command:
This returns output like:
If you do not see the remote account you want to assign users to, create it by logging into the remote account on the SSH server and running the following command:
keyserver-sync /root root
This will return nothing but it will have created the Remote Account resource on the Key Server. If you repeat the remote-accounts command you should find the account is now listed.
You can now assign a Key Server user to the remote account
remote-assign-user root@mysql firstname.lastname@example.org
Now that the Key Server user has been assigned to that account, they will be able to access the account via SSH public key authentication.
To make it easier to manage larger datasets you can alternatively assign the remote account to a Role. Assigning the Role means you only have to remove a user once to revoke access to many remote accounts. For example, you can create a Role with the following command:
# create-role SSH
Role SSH created
Then assign a user to that role
# assign-role SSH email@example.com
Then, finally, assign the Role to the Remote Account
# remote-assign-role root@mysql SSH
You can also configure Key Server users on the remote account itself. The integration scripts work with a number of files in the accounts .ssh directory to determine access.
It will consult:
Place the email addresses of Key Server accounts that you want to allow access to the remote account in this file. One email address per line.
Add any additional static keys you want to add when authorized_keys is updated. You might want to use this for a backup key in case the Key Server is not available.
The permissions on these files should not be GROUP or OTHER writable. If in doubt, chmod 600 on these files before running the synchronization tool.
There are also a number of command scripts installed to make configuration easier. For example, any user can authorize access to a Key Server account by executing the command:
auth-gateway-user --add <email>
To list all Key Server accounts currently allowed access to your account:
To revoke access to your account:
auth-gateway-user --remove <email>
You can add a Key Server account that is allowed to authenticate as any user
auth-gateway-user --add --system <email>
Show all globally authorized Key Server accounts
Remove a Key Server account from those allowed to authenticate as any user
auth-gateway-user --remove --system <email>