Lead Image © Andriy Popov, 123RF.com
A central access manager for SSH, Kubernetes, and others
Bouncer
A decade and a half ago, when security and compliance were not as dominant in some places as they are today, the number of accounts and passwords was something like manageable and many an admin got rid of local accounts altogether in favor of root on their SSH-only machines. Instead, a password for root worked everywhere in the setup and – with a little luck – was encrypted for storage in a central password store somewhere.
Today, however, this practice is completely unthinkable. Various security standards (e.g., Payment Card Industry Data Security Standard, PCI DSS) now stipulate that it must be possible to trace who changed what on which systems and when, which makes individual accounts mandatory. Today, even the toughest deniers of the need for compliance tend to avoid root logins over secure shell (SSH) with just password protection. Most distributions even prohibit this practice in the default configuration. Sudo and SSH keys for individual access are the means of choice instead.
This practice only makes sense, especially in setups where admins are really only entrusted with the operation and maintenance of machines that can be accessed by SSH. However, this is decreasingly the case today. DevOps, the cloud, and containers have made information technology (IT) far more heterogeneous. Kubernetes APIs and databases need credentials, along with various other services, and all of them use their own protocols for authentication.
Even SSH is not quite as clear-cut as it seems at first: In the interest of security, it is quite common today not to run systems with a direct connection to the Internet if they do not need the access. SUSE Manager, Red Hat Satellite, and the like have long since found a solution to the problem of delivering updates and other essential features to systems without a direct Internet connection.
In return, however, such systems can no longer be accessed directly over SSH. Instead, a jump host or cluster
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Persistent storage management for Kubernetes
The container storage interface (CSI) allows CSI-compliant plugins to connect their systems to Kubernetes and other orchestrated container environments for persistent data storage. - CERN Sponsors Free Lecture Series on Quantum Computing
-
Securing the TLS ecosystem with Certificate Transparency
With the need for home offices during the pandemic lockdown, provisional solutions instituted on the fly during the transition from office to home require more permanent solutions, especially for securing TLS connections on the Internet. -
News for Admins
New ransomware targeting Linuxbased NAS devices; OpenSSH fixes side channel attacks; Purdue scientists build quantum gate; and NSF awards $10 million for supercomputer that emphasizes cloud integration
-
Managing network connections in container environments
Traefik promises not only to manage mesh implementations for container environments reliably, but to do so in a way that makes them enjoyable to administer.