This guide addresses how to manage access to modern server fleets. Today, organizations are dealing with elastic infrastructure that includes thousands of servers with VMs that are launched and deleted every hour. In addition, the people that need to access the infrastructure may come and go in the organization and their roles may change while they are at the organization. This makes it difficult to implement a scalable system of Privileged Access Management (“PAM”) to the IT infrastructure.
This guide does not attempt to be a complete overview of the PAM landscape and omits many topics such as Kerberos, SSSD and GSS-API. Instead, it focuses on patterns and anti-patterns that have we have seen implemented by system administrators building access management on top of OpenSSH systems, while trying to adopt to the new regulatory and scalability requirements.
We adopted many of the SSH infrastructure patterns mentioned here while building Teleport, a modern SSH server which “manages privileged access to elastic infrastructure, without getting in the way.”