The purpose of this document is to overcome the issue that we face at our AWS environment. Its true that amazon not keeping our private key, when we have create a new instance. But we are not very strict about those aws keys, most of the team inside the company use the key and keep the same in lots of the place, and this can cause of a security hole.
Example:
Let say foo.com is an online company and the qa environment people is not keeping track of where the keys are keeping. They are not very sure about the keys. Let say if any of the qa team person kept the key at document root and later some how that key got into hand of some cracker, then he/she can log-in to the QA environment and that's compromise our environment.
2. What we can do?
Its true that without the key no one can able to log-in. But we don't even want to share those aws keys to everyone.
So, create your own ssh-key pairs, with a pass-phase.
1. ssh-keygen [enter]
2. select your preferred key type [rsa / dsa] or can go for the default one. [ enter ]
3. in pass-phase enter a password.
After that you can update the public key of that key pairs to qa server's authorized_keys and share the QA team. Now onwards when ever they want to login to the qa servers, they can use the same key from a blessed host. [ You can create a secure host, from where every-one login to company servers]. And you can protect the blessed hosts in the same way.
3. Question(s)?
How do I perform the automation:
You can do the following for that:
1. Log in to bless host [ with your personal keys ].
2. use "ssh-agent bash" [ I am using bash, you can use any of your shell ]
3. ssh-add [ at this time it will ask for the password, provide the password. ]
Later you can log-in to the qa server from the bless hosts without typing the password again and again.
You might also like to go through "screen" command.
4. Further reading:
Please go through further documentation on the following command for more details:
ssh-keygen
ssh-agent
ssh-add
screen
No comments:
Post a Comment