SSH and Machines

Using PI 3.4

We have about 150 Linux servers that we need to control SSH login to, and around 15 users that will be logging in.

I can add SSH keys fine. My servers are showing up. But what I don’t see is a way to define a group of machines that a user can log in to. Do I really need to go to every server, set it to ssh and add the users manually? So if we add a new user, I need to go to all 150 servers and add them? And for every server we bring up, I need to manually go to it and set it to ssh and define the users?

I’m hoping I’m missing something, but this doesn’t seem very user friendly.


Thank you!

Unfortunately you are right. We would be happy to receive your input about any of your ideas or requirements about grouping your servers!

Do you already have defined server groups? So that you do not need to configure the groups within privacyIDEA but you could read groups from somewhere?

Where are your users located? Are these users “grouped”?

Looking forward to your input.

Absolutely! I can see this happening in a couple of different ways.

Our users are grouped in Active Directory, so we could pull their group memberships. We could put our servers into security groups as well. We don’t do this currently. But we do separate them by AD OU. What I’ve done so far is create separate machine LDAP queries by AD OU.

We could have a field in the LDAP configuration to assign AD User Security Group and the SSH token type automatically.

Or I can see a section where you can view the security groups, and within the group setting, assign a set of computers based on the computer group membership, or LDAP Machine query.

We have a developer portal in our VM environment where they can turn up and destroy virtual machines at will, so whatever the solution would be would have to allow periodic queries to update the group memberships.

The other option is to have us create computer and/or user groups within PI and apply the settings at the group level. If the developer brings up a dev portal VM (mentioned in the above paragraph), they can go into PI and assign themselves permission to the new VM. It doesn’t happen that often, so it wouldn’t be too cumbersome.

We’d like to balance the admins requirement to control access to things like production, staging, test servers, with the users ability to add themselves to their dev machines.

We already use SSSD to control access to the VM’s and are looking to replace password login with the SSH login so this would be a huge help.

Having to do all the settings in PI individually for all 150 VM’s is quite a large pain. In the mean time, is it possible to update settings via API or direct DB query? The environment doesn’t change “that” frequently, so getting it set up now is the pain point - manually adding a machine in the future is more doable by hand.

1 Like

I think it would be most straight-forward to use groups from AD and map them to machine groups.

We have an old issue here:

Maybe you can help to revive it and pass some input also there. Thanks a lot!