One thing that’s great about startups in their early stage is how you get to stick your hands into everything. Beta environment needs to be configured? Guess it’s time to fire up the terminal. Windows installer? I’ve never done one of those before. Python? Look at all the fun indentation!
One thing that’s less great about early stage startups can be that there’s nobody else to unload your work off onto. Fire up all these Linux servers and setup access to them? That’s kind of a slog. I wish there was one easy way to do everything related to access control, but that’s still a work in progress.
So, what are the options for setting up authentication / user management into your Linux machines?
Setting Up Users on Each Machine
Let’s say you’re on the machine as root and you need to create an account for a user. This is the “adduser wagstaff; passwd swordfish” approach. It’s simple, effective, and if you’re only using a few machines and a few users then this could be the way to go. You can even simplify it with Chef or Puppet recipe, adding the same users to a bunch of machines. It falls apart in maintenance except for the most trivial groups, though. You’re in trouble once someone leaves, someone else joins, or you start wanting to restrict access to only certain people or groups. Log on to each machine to make changes? No thanks. Edit those handy dandy scripts? You’ll be editing long into the future for every use case.
Public Key Authentication
Public key authentication is obviously more secure than password-based authentication. You take your user’s public key, you add it to the ‘authorized_keys’ file off their home directory, and BAM they can SSH in. That’s great. No, seriously, great, that part is super simple. However, you’ve got the same complexity problems as for passwords. Removing, adding, and segmenting users all necessitate directly getting involved with the machine again. And, what about best practices such as rotating keys?
All Right, How About Some Centralized User Management?
You could grant a user access to the appropriate machines from a central store of users. Perfect, I like that idea. A little Googling and you hear a lot about OpenLDAP (with some hints about Samba or IPA), and it really isn’t THAT difficult. I was able to figure out and configure my first system in less than a day. The second system (CentOS instead of Ubuntu) took even less time, even though there were some pretty big differences in their configuration. Excellent. The THIRD system, however, on an older-but-still-supported flavor of Ubuntu, took several days. I suddenly needed to use LDAP tools to listen for calls and see just What.The.Heck! was the difference here?
All the documentation confirmed that I was doing it the right way. After all, I really just wanted to develop some product. I did not want to debug someone else’s code and step through log files at their most verbose setting while going freaking insane. So, yeah, while I don’t have to manage accounts directly on each machine, it’s not without its potential problems. The moral of this story is less ops, more dev.