Best Practices - Multiple Authentication Key Pairs?
-
I would love to hear more information on the best practices for Authentication Keys in larger environments. Any additional solutions, ideas, perspective, or information would be greatly appreciated. Thank you!
Site Example:
Computers
- Lab 1 (50 computers)
- Lab 2 (50 computers)
- Lab 3 (50 computers)
Users
- Administrator 1
- Administrator 2
- Lab 1 Supervisor
- Lab 2 Supervisor
- Lab 3 Supervisor
Goal:
I would like the supervisor of each lab to only have access to their lab. I would like the administrators to have access to all of the labs/computers.
Solutions: (Two I thought of)
Solution 1 - (1) “Master” Key Pair & (3) Individual “Lab” Key Pairs
- Create “master” key pair for administrator use
- Create one key pair for each lab (lab1, lab2, lab3)
- Install “master” public key, and corresponding “labX” public key on lab computers
- Lab supervisors have corresponding private key and can only access their lab
- Administrators have “master” private key and can access all computers
Notes:
I don’t prefer this option because there is a Master key that can be used to access any computer on the site. If I needed to change the key, it would need to be done on all computers.Solution 2 - (3) Individual “Lab” Key Pair
- Create one key pair for each lab (lab1, lab2, lab3)
- Install corresponding “labX” public key on lab computers
- Lab supervisors have corresponding private key and can only access their lab
- Administrators have 3 private keys (lab1, lab2, lab3) keys on computer and can access all computers
Notes:
So far, it seems like Veyon does not let me utilize more than one private key on a master computer. When I have multiple private keys imported to a master, Veyon only authenticates computers from 1 of the private keys (they others are red) -
Hi @jhostetter
thanks for your detailled information and proposals. To be honest the key file authentication mechanism is not made for such scenarios. Instead it provides basic facilities to manage access for different user groups, e.g. teachers, administrators and support staff.
I suggest to use access control rules instead. There are numerous possibilities thanks to many different rule conditions - see https://docs.veyon.io/en/latest/admin/access-control-rules.html#conditions for details. There's a condition "Accessing computer and local computer are at the same location" which should fulfill your need exactly. To make it function properly you'll have to either maintain the builtin directory (locations and computers) on student computers as well (simply by deploying the same configuration to student and master computer) or preferably make Veyon use these information from your LDAP/AD server. Don't hesitate to ask further questions if you're stuck with access control rules.
Best regards
Tobias
