M
M
metalforge2016-11-22 10:16:42
SSH
metalforge, 2016-11-22 10:16:42

Single ssh access server, is it possible?

We administer a large vpn network (more than 1000 devices) via ssh. Each device has a unique password. There is a KeePass key, we form a database with passwords for those devices to which they should have access and issue them to employees. Security is lame on all legs and arms. Conventionally, an employee has a database with passwords and can merge it, but manual access to the management console for so many pieces of iron is hell! According to customer requests, you just hang on the phone for 3-5 minutes until you connect to the desired server.
Problem statement: a dedicated "authorization" server with a database of passwords for ssh connections.
What we want to achieve:
1. Hide passwords from end devices from employees.
2. Eliminate the possibility of direct uncontrolled remote access to End Devices (bypassing the "authorization" server).
3. Keeping a log of connections and a log of employees' actions on End Devices.
Requirements:
1. Mandatory access control to end devices.
2. No third-party software on End Devices (certified hardware).
3. Free software.
Actually the question / request: Are there any similar solutions, has anyone implemented it in practice or designed it yourself? I will be glad to any advice / articles / literature on the topic.

Answer the question

In order to leave comments, you need to log in

5 answer(s)
A
athacker, 2016-11-22
@metalforge

Another example of the fact that certification is just a process of getting a stupid piece of paper, and has nothing to do with real security :(
The login problem is solved by generating password-protected SSH keys for EACH employee. in the form of three years of execution without the right to correspond.You can create employee accounts with automatically generated passwords, it is not needed to enter by key.
If you have hardware, use chef/puppet/ansible control systems to centrally manage the pouring/removal/replacement of keys. Or custom scripts that will connect via SSH and manage keys with commands in the shell. If you have servers, you can use the same management systems (puppet etc), but there are other systems, such as OpenSSH in conjunction with LDAP.
The problem of logging is solved by creating one syslog server and specifying in the settings of all servers that the logs should be stored not only locally, but also merge to this server. Modification of the syslog.conf file on all servers - into monitoring, so that an alert is sent every time it changes (so that there is no temptation to turn off silent log uploads).

I
index0h, 2016-11-22
@index0h

uh... why don't ssh keys fit?

A
Andrey Korytov, 2016-11-22
@AKorytov

NIS, YP not suitable for your purposes?

A
Anton_Shevtsov, 2016-12-01
@Anton_Shevtsov

thycotic secret server.

A
astashov, 2016-12-01
@astashov

Why not OTPW? It is impossible because of certification?
We just have a few hundred servers through OTP and it's fine. the password is obtained from the portal. Updated every 6 hours. Those. take a set of answers, then after 6 hours they will not be relevant.
Well, this is in particular our experience and we do not have certification.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question