Ale*_*lex 6 security ssh ssh-keys shell-scripting
问题:
We have many dev/qa/prod RH/Solaris servers with many accounts having ssh trust between them, including between servers in different environments (prod->prod, but also qa->prod). I know this is a bad practice, and the first step I'm trying to take to resolve it is to understand which accounts on which boxes can ssh to which other accounts on which boxes without a password.
My approach was going to be a shell script to log into a specified list of servers, and sudo go through /etc/passwd file to get a list of all accounts and home directories, look at the latter for presence of .ssh and id_rsa.pub and/or id_dsa.pub and authorized_keys and output this information, per account per box, to stdout on the machine running the script.
The fact that users can specify a key for ssh to use that is not the default is an acknowledged limitation. (I'm assuming that is not the case)
Then use the output to create an html page with JavaScript objects {username, machine_name, rsa_key, dsa_key, authorized_keys[]} created from the output above, and use JQuery (or similar) to display the hierarchy (how is tbd).
My question is, does something to address this kind of an issue already exist? And if not, any input on my approach would be welcome.
看起来您很清楚自己在这里做什么。记录哪些系统可以在没有任何密码的情况下连接到事物总是一个好主意。这样做不一定是不好的做法,实际上需要做一些事情,但您需要知道如果有人闯入您的一台服务器,这一切是如何工作的 - 他们还获得了哪些访问权限?
值得一看的地方是所有服务器上的身份验证日志。这将告诉您当前脚本/程序实际使用了哪些键。
SSHd 确实会告诉您用户如何登录。在日志中您应该看到类似以下的行:
Accepted publickey for automatedprocess from 123.456.789.012 port 12345 ssh2
浏览日志并查找日志所在服务器、用户名和发件人地址的所有唯一组合,将显示哪些系统一直在使用这些密钥。
这也可能为您提供一个良好的起点,了解哪些不再需要,哪些被自动化流程定期使用。