Email or username:

Password:

Forgot your password?
Top-level
Fuzzysteve

@ferricoxide @ramin_hal9001 @alex_02 @nixCraft By pushing the keys via your centralized authentication system? So they don't exist on the box themselves. and that the centralized account is also removed?
Of course, then you also need something which is going to be checking every server to make sure no rogue accounts have been created.

1 comment
Thomas H Jones II

@fuzzysteve @ramin_hal9001 @alex_02 @nixCraft

Yes. In general, offloading to a third-party key-auth mechanism is going to avoid the "stale keys" problem.

Similarly, combination of configuring SSH to ignore locally-staged keys, configuring sudo and/or SELinux to prevent random users from creating local accounts and having good monitoring/alerting in place goes a long way towards solving the "rogue accounts" problem.

Go Up