ns8-ssh-access-manager v0.0.1-dev.6

First public beta release of ns8-ssh-access-manager, a NethServer 8 module for centralized SSH key auditing and lifecycle management.

Overview

Managing SSH access at scale is a common blind spot in many infrastructures.

On a typical fleet of Linux servers, SSH `authorized_keys` files are:

• scattered across multiple machines and user accounts
• manually managed (e.g. via `ssh-copy-id`)
• rarely audited
• almost never rotated

Over time, this leads to:

• orphaned keys when users leave a team
• uncontrolled access persistence
• lack of visibility on who can access what
• potential security risks and compliance issues

ns8-ssh-access-manager was developed to address these problems by providing:

• centralized visibility
• continuous auditing
• controlled key lifecycle management

The goal is simple: make SSH access **observable, auditable, and enforceable**.

Added

• Centralized web interface to view SSH authorized_keys across all managed servers
• Anomaly detection system:
  • Detects keys added or removed outside the platform (e.g. ssh-copy-id, manual edits)
  • Generates critical alerts on unexpected changes
• ANSSI BP-099 compliance checks:
  • Flags weak SSH keys (RSA < 4096 bits)
• SSH key lifecycle management:
  • Key creation with expiration date
  • Mandatory justification field
  • Automatic key revocation at expiry
• Audit logging:
  • Tracks key additions, revocations, and script deployments
• Automated provisioning system:
  • Remote deployment of audit scripts
  • Idempotent server setup
• Periodic background scans with configurable interval
• Ability to manage SSH keys on the host running the module itself

Security

• No root access required for standard operations
• Dedicated restricted user (audit-collector) created on managed hosts
• Controlled sudo access limited to five scripts:
  • sam-collect
  • sam-add
  • sam-revoke
  • sam-lock-user
  • sam-unlock-user
• Script integrity ensured via hash-based updates

Installation

add-module ghcr.io/stephdl/sam:0.0.1-dev.7 1

Then configure the module from the NethServer 8 Software Center.

The default login is admin/admin

SMTP settings are automatically inherited from the system configuration.

Provisioning

runagent -m sam1 ../bin/provision-server \
  --hostname server-prod-01 \
  --ip 192.168.1.100 \
  --user root \
  --env production \
  --os rhel

Options

Workflow

• Initial scan imports all existing keys as PENDING_REVIEW
• Alerts are generated for unknown keys
• Administrator reviews and validates or revokes keys
• Continuous scans detect and report any external changes

Known Issues

• Beta release, APIs and data model may change
• Limited OS support detection
• No high availability support
• Notification system is still a work in progress

Disclaimer

• This is a beta release and should be tested on non-production environments
• Use on test servers is strongly recommended before any production deployment

Repository

• GitHub - stephdl/ns8-ssh-access-manager · GitHub
• GitHub - stephdl/ssh-access-manager · GitHub

That’s why SSH certificates (host and user) are a really good idea, authenticated (in the case of user certs) by a SSO system, and backed by a private CA.

Wikified

image400×114 46.1 KB

Issue installing, please see this bin

TIA

hello laylow, could you try to reproduce and to catch the error in journald, I hope more details

during the installation do journalctl -f in a terminal, or after the installation journalctl -e

root@d1:~# add-module ghcr.io/stephdl/ns8-ssh-access-manager:0.0.1-dev.1
{'module_id': 'ns8-ssh-access-manager1', 'module_uuid': 'b2d8aa6e-a8d7-4cde-a9e6-26b175480756', 'image_name': 'ns8-ssh-access-manager', 'image_url': 'ghcr.io/stephdl/ns8-ssh-access-manager:0.0.1-dev.1'}
root@d1:~# 

add-module ghcr.io/stephdl/ns8-ssh-access-manager:0.0.1-dev.1

Bad url sorry @LayLow

Fixed, it now installes correctly. Maybe I missed it, what is the default user/pass or accessing SAM webinterface?

admin/admin, you are right I add it

Just thinking out loud here, I sometimes forget to logout of ssh session for my terminal window is pushed to the background because I did some other tasks such as a quick browsing etc. The terminal session and the ssh connection are left open. I wonder if an ssh session could be automatically closed after a period of non activity? Just like a screensave kicks in after 10, 15, 30 or 60 minutes. Would that be something that be a feature (maybe already there) of SAM?

Meaning, can the ssh config of the to be accessed server be adjusted per ssh session managed by SAM?

TIA

hum I try to be as minimal impact on the remote server and sam is able to lock remotely a user linux to nologin….so I went far but maybe I could find a way to see ssh login….a good idea to do a check who is connected but close a connection could be dangerous

anyway I dropped a lot of enhancement yesterday night, now we have a RBAC, role based access control for 3 roles, a timeout when you are logged and a keep me logged function, many setting directly in the setting page, notification are sent to admins (you can disable notifcation for a specific admin) and you have a button to test your smtp settings for notifications.

for now I have comments and documentation in french because it is a project for my VAE but I have to translate them in english.

what to say more SAM can be used as a standalone project but ns8 will ease the work to run the container, to backup it and to provision a remote host

[mail2@rl1 state]$ who
root pts/0 2026-04-28 08:41 (92.135.44.62)
root pts/1 2026-04-28 08:43 (92.135.44.62)

it could be even really easy

You wish! I used the who command with “who -d” to check my node, and voila, 2 abandoned tmux sessions that I never knew were still runnng in the background…. Let alone I know what they were running, maybe a maliscious script? (just as an example, they were mine).

A trojan horse could be inserted into the root fs via tmux/screen and stay undetected, possibly phoning home or opening a backdoor.

“tmux attach” and “exit” both tmux sessions ended the tmux forgotten tmux sessions. Funny thing tho that “who -d” still shows them both, but who -d” now says “no sessions”. Maybe some caching (on file)?

So, how to cope with forgotten, hidden, ‘broken’ (connections timeout) tmux sessions? I guess the same is valid for the obsolete but still available “screen” command.

</panic mode>

tmux cheatsheet for convenience.

ps. What I mean is that SAM manages keys, but like in a real building, one would like to know who opened what door (and for what reasson) and specifically, are all doors locked again. So if I get a key (RBAC or whatever auth), go inside, open the back door, go back to reception and hand back the keys and leave. All is fine according to key management, but not to security.

Identity and Access Management (IAM) come into play. Just saying this for a broader discussion, thoghts gathering since the interesting areas of SSO, IAM, SAM, Security and system audits and hardening. Maybe even worth a split off into a seperate chat topic? (Ah! we already started this thought process here.

Nevertheless, SAM is great thanks @stephdl !

new url, a lot of new features

What is the upgrade command to upgrade from the previous version please?

during the dev phase I do not support upgrade, I have a postgresql database and I do not provide sql migration, please remove and install again

obviously migration will be handled after

JFY the readme says “remove-module --no-preserve sam1” but it should be:

remove-module --no-preserve ns8-ssh-access-manager1

and what version is the latest as we speak?

image668×870 37.4 KB

ps. I used the latest which seems to install:

image1826×782 44.6 KB

you can use the application or the software page to remove

you are right : 0.0.1-dev.4

What do you think, what feeling @laylow, what is broken, what we could enhance ?

I hope e.g. @dan and @capote and others can spend some time to assist you with this too, for they are far more knowledgable then me. I think it is worth the effort to make this a rock solid solution.