@ramin_hal9001 @alex_02 @nixCraft
Problem with copying keys about - especially in a large scale environment – is the "how do you make sure ≤EX_EMPLOYEE>'s keys are all removed everywhere".
Top-level
@ramin_hal9001 @alex_02 @nixCraft Problem with copying keys about - especially in a large scale environment – is the "how do you make sure ≤EX_EMPLOYEE>'s keys are all removed everywhere". 2 comments
@fuzzysteve @ramin_hal9001 @alex_02 @nixCraft Yes. In general, offloading to a third-party key-auth mechanism is going to avoid the "stale keys" problem. Similarly, combination of configuring SSH to ignore locally-staged keys, configuring sudo and/or SELinux to prevent random users from creating local accounts and having good monitoring/alerting in place goes a long way towards solving the "rogue accounts" problem. |
@ferricoxide @ramin_hal9001 @alex_02 @nixCraft By pushing the keys via your centralized authentication system? So they don't exist on the box themselves. and that the centralized account is also removed?
Of course, then you also need something which is going to be checking every server to make sure no rogue accounts have been created.