Revons - SSH Key Authority
Features
- Easily manage SSH key access for all accounts on your servers.
- Manage user access and server-to-server access rules.
- Integrate with your LDAP directory service for user authorization.
- Automatically remove server access from people when they leave your team.
- Provides an easy interface for your users to upload their public keys.
- Designate server administrators and let them manage access to their own server.
- Create group-based access rules for easier management.
- Specify SSH access options such as
command=
,nopty
etc on your access rules. - All access changes are logged to the database and to the system logs. Granting of access is also reported by email.
- Be notified when a server becomes orphaned (has no active administrators). Requirements
- An LDAP directory service
- Apache 2.2 or higher
- PHP 5.6 or higher
- PHP JSON extension
- PHP LDAP extension
- PHP mbstring (Multibyte String) extension
- PHP MySQL extension
- PHP ssh2 extension
- MySQL (5.5+), Percona Server (5.5+) or MariaDB database
Installation
-
Clone the repo somewhere outside of your default Apache document root.
-
Add the following directives to your Apache configuration (eg. virtual host config):
DocumentRoot /path/to/ska/public_html DirectoryIndex init.php FallbackResource /init.php
-
Create a MySQL user and database (run in MySQL shell):
CREATE USER 'ska-user'@'localhost' IDENTIFIED BY 'password'; CREATE DATABASE `ska-db` DEFAULT CHARACTER SET utf8mb4; GRANT ALL ON `ska-db`.* to 'ska-user'@'localhost';
-
Copy the file
config/config-sample.ini
toconfig/config.ini
and edit the settings as required. -
Set up authnz_ldap for your virtual host (or any other authentication module that will pass on an Auth-user variable to the application).
-
Set
scripts/ldap_update.php
to run on a regular cron job. -
Generate an SSH key pair to synchronize with. SSH Key Authority will expect to find the files as
config/keys-sync
andconfig/keys-sync.pub
for the private and public keys respectively. The key must be inpem
format. The following command will generate the key in the required format:ssh-keygen -t rsa -b 4096 -m PEM -C 'comment' -f config/keys-sync
-
Install the SSH key synchronization daemon. For systemd:
- Copy
services/systemd/keys-sync.service
to/etc/systemd/system/
- Modify
ExecStart
path andUser
as necessary. If SSH Key Authority is installed under/home
, disableProtectHome
. systemctl daemon-reload
systemctl enable keys-sync.service
for sysv-init:
- Copy
services/init.d/keys-sync
to/etc/init.d/
- Modify
SCRIPT
path andUSER
as necessary. update-rc.d keys-sync defaults
- Copy
Usage
Anyone in the LDAP group defined under admin_group_cn
in config/config.ini
will be able to manage accounts and servers.
Key distribution
SSH Key Authority distributes authorized keys to your servers via SSH. It does this by:
- Connecting to the server with SSH, authorizing as the
keys-sync
user. - Writing the appropriate authorized keys to named user files in
/var/local/keys-sync/
(eg. all authorized keys for the root user will be written to/var/local/keys-sync/root
).
This means that your SSH installation will need to be reconfigured to read authorized keys from /var/local/keys-sync/
.
Please note that doing so will deny access to any existing SSH public key authorized in the default ~/.ssh
directories.
Under OpenSSH, the configuration changes needed are:
AuthorizedKeysFile /var/local/keys-sync/%u
StrictModes no
StrictModes must be disabled because the files will all be owned by the keys-sync user.
The file /var/local/keys-sync/keys-sync
must exist, with the same contents as the config/keys-sync.pub
file in order for the synchronization daemon to authenticate.