Linux User Management & Turbot SSH Key Overview

Overview

Turbot’s Linux User Management features are part of Turbot’s Identity and Access Management model across Turbot, AWS, OS, and DB tiers. Users can be associated to a Turbot Managed Directory or associated to a customer’s LDAP connected directory (e.g. Active Directory (AD)), through Turbot’s Role Permissions, users can be granted Linux/* at varying levels of permissions across different layers of the resource hierarchy (e.g. Cluster Level, Account Level, Per Resource Level).

There are a number of Turbot Options that can enable Turbot to sync user’s SSH key(s) to instances they have access to. When these options are enabled, and the Turbot Key Pair is associated to an instance, Turbot can connect to instances to ensure users are synced appropriately. Turbot uses SSH to connect to the applicable instances from the Turbot Master VPC. Turbot runs Ansible playbooks to create, update, and delete the users profiles and keys effectively on each instance. Turbot will sync any Linux/* user’s SSH keys into Linux instances they have access to across one or many AWS accounts and instances.

The following Options need to be enabled across the applicable Account(s) Turbot is managing Linux users:

  • AWS > EC2 > Enabled = Set to Enabled.
  • AWS > EC2 > Linux User Management = Set to “Enforce: Users managed by Turbot” to enable management of user accounts. Note: If enabled, then Turbot will manage user accounts for Linux instances based on membership in the Linux/* roles. Applies only to Linux instances launched with the turbot key pair.
  • AWS > EC2 > Turbot SSH Keys = Set to “Enforce: Create SSH key if EC2 is enabled”. Note: This ensures that the Turbot SSH key exists in each region if EC2 is enabled.
  • Linux > Rights = Set to Enabled. Note: This allows Linux/* permissions to be granted in Turbot.

Note: you will need to ensure if you have permissions to provision the image you are provisioning, e.g. if you are using the AWS Quick Starts AMIs, Turbot has EC2 Options which Enable/Disable use of RHEL, CentOS, Ubuntu, and AWS Linux images. Also there could be restrictions with what AMI IDs or AMIs from specific publishers are allowed in the account. Please review your EC2 Options and/or each out to your Cloud Team for more information.

In order for a user to be applicable for the user sync, they must have one of the following Linux permissions granted:

  • Linux/SuperUser - Full sudo permissions.
  • Linux/Admin - Full sudo permissions.
  • Linux/Operator - Can reboot, halt, and power off instance.
  • Linux/User - Can log in to Linux instance, no additional permissions.

If a user is removed from Turbot or removed from these permissions, Turbot will remove the applicable user from all instances they have access to.

For altering the list of permissions per role, the following options can be configured:

  • Linux >sudo Commands for Linux/SuperUser (default settings are: ALL = (ALL) NOPASSWD: ALL)
  • Linux >sudo Commands for Linux/Admin (default settings are: ALL = (ALL) NOPASSWD: ALL)
  • Linux >sudo Commands for Linux/Operator (default settings are: ALL = NOEXEC:NOPASSWD: /sbin/poweroff, /sbin/halt, /sbin/reboot)

User SSH Key Management

A user will need to associate one or many SSH keys to themselves. Through the user’s profile page, under the SSH Keys section, a user can click on “Create SSH Key” button. This will provide the public and private key to the user. Once a SSH key is created, the key can be deactivated, reactivated or deleted. Multiple keys can be associated per user, Turbot will sync all associated keys.

Note: upon SSH key creation, the private key is only shown once to the user – Turbot does not store the private key. Turbot only syncs the public key(s) to the applicable instances.

Security Group & Network Access

To enforce user syncing on applicable instances, Turbot needs the ability to SSH into the instance. Routing from the Turbot Master to the applicable instances should be open through VPC peering, and/or hairpining back through the corporate network.

By default, the Turbot cluster has SSH (port 22) egress on its own security groups in your Turbot Master account. Turbot will also need SSH (port 22) ingress into the applicable instances. Please ensure your security groups on the instance allow port 22 ingress from at least the Turbot Master Account’s VPC (please verify with your Cloud Team if there are any doubts or issues on access being setup appropriately).

Getting Started

With the options and keys configured from above, a user can now provision an applicable instance with the Turbot Key Pair associated. The user will need to associate the Turbot key pair during the provisioning process to work.

Turbot Linux User Management has been tested with the following AWS EC2 Quick Start Images, and AWS EMR Versions:

  • Ubuntu 12.04, 14.04, 16.04, 18.04
  • RHEL 6.10, 7.1, 7.2, 7.3, 7.4, 7.5
  • Amazon Linux 2018
  • Amazon Linux 2
  • CentOS 6, 7
  • Suse 15

If you are using a custom AMI, Turbot Linux User Management can work, but testing will be required as Turbot configurations may conflict with the baked in configurations and/or the default administrator name may not be known by Turbot.

If there are any issues with the user sync, Turbot will notify any errors through the Turbot console with full transparency to the Ansible logs.

Was this article helpful?
0 out of 0 found this helpful