SSH Controls requires:

  • Korn shell
  • Perl (a recent v5 will do)
  • SSH client + server (on both SSH master & client hosts). SFTP must be allowed on all client hosts.
  • SUDO (on client hosts)

SSH Controls consists of:

  • A generated SSH public/private key pair for each end-user:
    • The private key is located on the end-user’s computer/device or source host.
    • The public key should be located at a pre-configured location on each of the client hosts (also referred to as the SSH Controls local repository)
  • A set of master configuration files (aka the SSH Controls master repository):
    • access: defines which persons (aka personal users or functional/technical accounts) should have access where (i.e. target host) and how (i.e. using which local OS account)
    • alias: defines aliases (aka groupings) for keys, users, hosts or other groups. These aliases may be referenced in the access file.
    • targets: defines the list to which SSH Controls files should be distributed.
    • keys (file) / keys.d (directory): can be either of
      • A file containing a pre-formatted list of public SSH keys
      • A directory containing individual public SSH key files (grouped or singular)
    • fingerprints: an on-demand generated list of SSH key fingerprints.
  • A set of management scripts:
    • update_ssh.pl: script to locally update & control the SSH authorized_keys files
    • manage_ssh.sh: script to distribute the SSH Controls files, create the fingerprints list or to trigger the update_ssh.pl script remotely.
    • convert_pubkey.pl: script to convert SSH public keys into the right format.
  • A correct working environment:
    • A working SSH login for each of the client hosts (chicken-and-the-egg!)
    • A running SSH agent that will propagate the maintainer’s private key to each of the client systems for remote access/control (see also the Master to slave operations topic for more information on this).
    • Pre-configured SUDO rules for the SSH Controls on each of the client systems. You can use SUDO Controls for this purpose

Updated:

Leave a comment