Prior to the December 17, 2009 release, SSH access was granted on a per account basis where users of a RightScale account could use the same cloud SSH keys to log into instances. In that release, RightScale introduced the new Server Login Control feature, which provides per-user SSH access control based on a new user role and a private SSH Key Pair that you can either manage yourself or that RightScale can manage for you.
As of the May 23, 2013 release, account holders have the ability to mandate that every user within an account needs to manage their own SSH Key Pair. This would remove RightScale from managing a users SSH Key Pair by default. For more information on how to enable this feature, see Enable Mandatory Server Login Control.
The Server Login Control feature allows you to use a private SSH Key Pair instead of using your cloud SSH keys for shell access. SSH Key Pairs are unique for each user and are used across all RightScale accounts. To view your Server Login Control settings, go to Settings > User Settings > SSH tab. By default, RightScale manages your login credentials for you. If you keep this option, RightScale generates a private key pair for you. Only your public key is displayed (read-only) while your private key is stored in our database. The other option is to use your own key pair and manage your credentials yourself. You need to provide your public key and the directory on your local machine (relative to your home directory, e.g. .ssh/id_rsa) where your private key will be stored. This option ensures that only a logged in user from a machine that has the appropriate private key stored locally can SSH into an instance. RightScale uses your private key to authenticate SSH access so if the private key file cannot be found, you cannot SSH into an instance. If you are using multiple computers to manage your account, you must put the private key in the same location on all computers.
Requirements for using Server Login Control
In order to use the Server Login Control feature, you must have the following:
Controlling User Access with Server Login Control
An 'admin' user can use the Server Login Control feature and user roles to control who has shell access to SSH into server instances. For example, a system administrator can grant some users the ability to launch/terminate servers ('actor'), but not SSH into it. Conversely, other users might only have 'server_login' privileges so they can SSH into a server for auditing and troubleshooting purposes even though they can't actually launch/terminate a server. Additionally, other users can have 'server_superuser' if they require root access to a server.
Mandatory Server Login Control
Managers of an account can require that all users must manage their own key pairs instead of RightScale managing them by default. To enable this, see Enable Mandatory Server Login Control.
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.