KeyManager: admins management tool

What is it?

keymgr is a software package that facilitates the management of individual logins for system administrators of Linux servers. In contrast with traditional approaches, keymgr implements a solution that is completely independent of remote authentication services. Each admin user owns a unique ssh key pair that he uses to login on each remote server. The head of the system administration team manages a file that associates each user to the servers he is allowed to login. keymgr puts the keys together and deploys them on the servers.

In which scenarios can it be useful?

keymgr was developed for scenarios where:

1. you don't want the remote login of system administrators to depend of an external service, that may go down with the rest of the system;
2. you manage a large number of servers;
3. system admin members come and go, what forces an update of the root password on the servers whenever one goes;

How it works?

1. System admins upload their ssh public key to a system console
2. keymgr uses a configuration file with the mappings of users on servers to prepare lists of public keys to be uploaded to each server and signs them with a private key
3. keymgr uploads the lists of public keys to the servers, using ssh
4. A cron job on each server verifies the signature and installs the admin's public keys
5. The system administrators can now login on the server from their desktop computers using ssh

Other features

keymgr was thought to be fairly simple to use and (hopefully) secure.

• The number of password/passphrases required was kept at a minimum. The upload of keys requires the typing of 2 passphrases, independently of the number of servers and users involved.
• keymgr supports the update of the asymetric key pair used by the console for signing the upload of new keys.
• The configuration file defines groups of users and servers, making the addition and removal of both as simple as editing one text file.
• It is possible to test a command before effectively using it with Gentoo's like --ask and --pretend arguments.
• The server side script makes a large number of configuration tests and recommendations to simplify installation.

What are keymgr software dependencies?

keymgr was designed with the idea of keeping its software dependencies to a minimum, in order to not interfere with minimalist server installations. It was coded in bash and makes use of the following tools:

• awk
• bash
• cut
• grep
• openssl
• sed
• ssh
• sudo
• one of rssh or scponly shells (for servers only)

Installation

Download the keymgr software bundle (MD5 sum: f5d8ae33f230eb1c6b0f6d6682582222) and follow the instructions of the README.txt file.

License, feedback, support and others

keymgr is made available under the GNU GPL License. Feel free to use and edit it.

Comments and suggestions are welcome. Contributions for patching bugs or improvements are preferred.

Also, it will be good to know that this software is useful. Send an e-mail to just to let us know how it is being used.

Change log

Feb 23rd, 2015

Published version 0.9