Heya,
First time posting here, and haven't been posting too much on reddit in general either, so my formatting might be way off. Apologies in advance.
First, I'll outline our needs and current status: We have a mediocre amount of servers, that's going to grow somewhat (30ish).
Up until now, we've been manually handling the ~/.ssh/authorized_keys file on one user (let's just call it www-admin), but removing and adding keys from all the necessary servers whenever an employee leaves or joins the company is getting slightly tedious.
Now, we've decided to move to an easier ssh key management solution, and have started setting up an LDAP server with sshPublicKey property on users.
We've also already set up a group for each of the servers (so we can assign those to users who need access on the servers).
Now, currently, logging in with ldap works as long as you're logging in as your own user, but we don't want that.
We want to be able to use OpenSSH + LDAP auth with public keys and still map every single user who should have access to the www-admin user on the servers.
Ideally, I'd love to be able to just say "ssh example.com" and get in, instead of "ssh www-admin@example.com".
Anyone got any pointers on how this should/could be done? We already get the added benefit of access logging from OpenLDAP side by looking at which key was queried.
[link][15 comments]