Back at FOWA Miami, Thomas Meeks and I found ourselves hopped up on Cuban coffee in the early hours of the morning. Feeling thoroughly anti-social – and really, who wants to see a nerd at 4am – we decided to finally sit down and solve a problem that had been lingering around the office for a while. How do we efficiently manage user accounts for all of our employees across all of our clients’ servers? And, should something happen, how do we easily revoke those privileges if and when the time comes?
There are already plenty of [poor, annoying, grotesque, take your pick] solutions out there for “the enterprise.” The primary options being LDAP and RADIUS. For Envy Labs, we’re not quite big enough – or self-loathing enough – to add that complexity to our everyday workflow. Plus, those solutions introduce a single point of failure, which can immediately and unforgivingly disable all access to all systems without warning.
And really, we love web apps and we really love Ruby; so, why leave them?
A couple of hours later, keymaster was born. Paired with the client-side Ruby script, gatekeeper, we built a simple, secure way to easily manage users and SSH keys across all of our Linux systems. Users are added to the keymaster, storing their preferred login and public SSH key and then those users are assigned to one or more Projects in the system. With the gatekeeper running on each of our client systems and routinely checking in, we now have an simple, automated way to manage all of our users and individual projects across all of our systems. And, being nerd-paranoid, every response the keymaster generates is signed, via RSA keys, and verified by the gatekeeper. No man-in-the-middle attack here, gosh darnit.
We can easily see who has access to what. We can quickly add a new user to multiple projects. We can even revoke access, knowing that as soon as the machines update, they’ll not only remove the user account, but also terminate all running processes and server access. And the gatekeeper client even self-updates. Imagine that.
At the present time, this project is highly specific to Envy Labs. But, now that it’s been open sourced, we’d love to see what you will do with it, and we’ll be here to support you.
Not too shabby for a few hours and a few dozen commits, right? Damn we love Ruby.
The image is “Keys” by takacsi75 on Flickr
Great! I’ll definitely have a look at that.