Veyon Community Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups

    Best Practices - Multiple Authentication Key Pairs?

    Help & Troubleshooting
    2
    2
    303
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jhostetter
      jhostetter last edited by

      I would love to hear more information on the best practices for Authentication Keys in larger environments. Any additional solutions, ideas, perspective, or information would be greatly appreciated. Thank you!

      Site Example:

      Computers

      • Lab 1 (50 computers)
      • Lab 2 (50 computers)
      • Lab 3 (50 computers)

      Users

      • Administrator 1
      • Administrator 2
      • Lab 1 Supervisor
      • Lab 2 Supervisor
      • Lab 3 Supervisor

      Goal:

      I would like the supervisor of each lab to only have access to their lab. I would like the administrators to have access to all of the labs/computers.

      Solutions: (Two I thought of)

      Solution 1 - (1) “Master” Key Pair & (3) Individual “Lab” Key Pairs

      • Create “master” key pair for administrator use
      • Create one key pair for each lab (lab1, lab2, lab3)
      • Install “master” public key, and corresponding “labX” public key on lab computers
      • Lab supervisors have corresponding private key and can only access their lab
      • Administrators have “master” private key and can access all computers

      Notes:
      I don’t prefer this option because there is a Master key that can be used to access any computer on the site. If I needed to change the key, it would need to be done on all computers.

      Solution 2 - (3) Individual “Lab” Key Pair

      • Create one key pair for each lab (lab1, lab2, lab3)
      • Install corresponding “labX” public key on lab computers
      • Lab supervisors have corresponding private key and can only access their lab
      • Administrators have 3 private keys (lab1, lab2, lab3) keys on computer and can access all computers

      Notes:
      So far, it seems like Veyon does not let me utilize more than one private key on a master computer. When I have multiple private keys imported to a master, Veyon only authenticates computers from 1 of the private keys (they others are red)

      1 Reply Last reply Reply Quote 0
      • tobydox
        tobydox last edited by

        Hi @jhostetter

        thanks for your detailled information and proposals. To be honest the key file authentication mechanism is not made for such scenarios. Instead it provides basic facilities to manage access for different user groups, e.g. teachers, administrators and support staff.

        I suggest to use access control rules instead. There are numerous possibilities thanks to many different rule conditions - see https://docs.veyon.io/en/latest/admin/access-control-rules.html#conditions for details. There's a condition "Accessing computer and local computer are at the same location" which should fulfill your need exactly. To make it function properly you'll have to either maintain the builtin directory (locations and computers) on student computers as well (simply by deploying the same configuration to student and master computer) or preferably make Veyon use these information from your LDAP/AD server. Don't hesitate to ask further questions if you're stuck with access control rules.

        Best regards
        Tobias

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Powered by NodeBB | Contributors