Intel® Tiber Developer Cloud
Help connecting to or getting started on Intel® Tiber Developer Cloud
269 Discussions

Best practice for multiple users on a single base metal instance.

User01
New Contributor II
332 Views

It seems that Intel Tiber AI Cloud is dependent on adding ssh public keys to the authorized_keys file of a single user that has sudo privileges. With this approach every user will connect with their own private key but as the same OS user and have sudo. What is the best practice for issuing separate user accounts for different users of the same instance?

Labels (2)
0 Kudos
1 Solution
Witold_Intel
Employee
147 Views

Hello Donald,


In the Intel® Tiber™ AI Cloud environment, managing SSH keys and user access involves several components: the web console for key management, the jump box (bastion host) for secure access, and the individual instances where workloads run. Here's an overview of how these elements interact:

1. SSH Key Management via the Web Console:

Uploading Keys: Users upload their SSH public keys through the Intel Tiber AI Cloud web console. This process associates the keys with the user's account. https://console.cloud.intel.com/docs/guides/ssh_keys.html

  • Purpose: The uploaded keys authenticate users when connecting to instances, ensuring that only authorized individuals can access the resources.

2. Role of the Jump Box (Bastion Host):

  • Access Point: The jump box serves as an intermediary, providing a controlled entry point to instances within the cloud environment.
  • Authentication: When a user attempts to connect to an instance, the system verifies their SSH key against those stored in the web console. If there's a match, the user gains access through the jump box to the target instance.

3. Instance Configuration and User Accounts:

  • Default Setup: By default, instances may have a single OS-level user account with sudo privileges. All users access the instance using this account, authenticated via their individual SSH keys.
  • Best Practices for Multi-User Environments:
    • Separate User Accounts: It's advisable to create individual OS-level user accounts for each user. This approach enhances security and accountability.
    • Assigning SSH Keys: Place each user's public SSH key in their respective ~/.ssh/authorized_keys file. This setup allows users to authenticate directly to their own accounts.
    • Managing Sudo Privileges: Grant sudo access selectively, based on necessity, to minimize potential security risks.

Uploading SSH keys via the Intel Tiber AI Cloud web console authorizes users to access instances through the jump box. While the default configuration might utilize a shared OS user account, implementing separate user accounts with individual SSH keys on each instance is recommended for improved security and management.

For detailed instructions on generating and uploading SSH keys, refer to the Intel® Tiber™ AI Cloud documentation on SSH Keys. Can we support you further?


View solution in original post

6 Replies
Aznie_Intel
Moderator
273 Views

Hi User01,

 

Thanks for reaching out to us.

Yes, all users with permission will login to the same OS. Intel Tiber AI cloud instance does not have the feature to separate user accounts for different users of the same instance. To avoid task being mixed up, it is suggested that the user create virtual environment and run own task in the created virtual environment.

 

 

Regards,

Aznie


0 Kudos
User01
New Contributor II
172 Views

Please add documentation on the relationship between Keys added to an Instance, the jump box guest account, and the instance configuration.

It seems that keys must be added to the "Intel Tiber AI Cloud" web console. When this is done, those keys seem to allow connections through the jump box. Then user accounts on the Instance can be configured so that individual users have their own OS accounts that use their own keys. This allows for a normal multi-user setup. However, it would be best to have explicit documentation on what happens when Keys are setup in the web console. What exactly do they authorize and where?

0 Kudos
Witold_Intel
Employee
148 Views

Hello Donald,


In the Intel® Tiber™ AI Cloud environment, managing SSH keys and user access involves several components: the web console for key management, the jump box (bastion host) for secure access, and the individual instances where workloads run. Here's an overview of how these elements interact:

1. SSH Key Management via the Web Console:

Uploading Keys: Users upload their SSH public keys through the Intel Tiber AI Cloud web console. This process associates the keys with the user's account. https://console.cloud.intel.com/docs/guides/ssh_keys.html

  • Purpose: The uploaded keys authenticate users when connecting to instances, ensuring that only authorized individuals can access the resources.

2. Role of the Jump Box (Bastion Host):

  • Access Point: The jump box serves as an intermediary, providing a controlled entry point to instances within the cloud environment.
  • Authentication: When a user attempts to connect to an instance, the system verifies their SSH key against those stored in the web console. If there's a match, the user gains access through the jump box to the target instance.

3. Instance Configuration and User Accounts:

  • Default Setup: By default, instances may have a single OS-level user account with sudo privileges. All users access the instance using this account, authenticated via their individual SSH keys.
  • Best Practices for Multi-User Environments:
    • Separate User Accounts: It's advisable to create individual OS-level user accounts for each user. This approach enhances security and accountability.
    • Assigning SSH Keys: Place each user's public SSH key in their respective ~/.ssh/authorized_keys file. This setup allows users to authenticate directly to their own accounts.
    • Managing Sudo Privileges: Grant sudo access selectively, based on necessity, to minimize potential security risks.

Uploading SSH keys via the Intel Tiber AI Cloud web console authorizes users to access instances through the jump box. While the default configuration might utilize a shared OS user account, implementing separate user accounts with individual SSH keys on each instance is recommended for improved security and management.

For detailed instructions on generating and uploading SSH keys, refer to the Intel® Tiber™ AI Cloud documentation on SSH Keys. Can we support you further?


User01
New Contributor II
127 Views

@Witold_Intel - that is exactly the information I needed. Thanks for the detailed response.

0 Kudos
Witold_Intel
Employee
89 Views

You're welcome. Can we support you further?


0 Kudos
User01
New Contributor II
59 Views

This issue is now resolved. Thanks.

0 Kudos
Reply