Capstone: Access Policy for Workshop Co.
Who gets keys, jump host, sudo, logging.
Capstone objectives
- Write a complete SSH access policy for Workshop Co.
- Define roles, key lifecycle, bastion rules, and audit requirements
- Document emergency access and offboarding procedures
The brief
Workshop Co. — access policy draft
- Staff
- Marcus (admin), Dana (developer, staging only), contractor Alex (3-month project)
- Hosts
- Bastion, web prod/staging, db, Nextcloud, Proxmox
- Compliance
- Customer booking data in PostgreSQL — Alberta/PIPEDA expectations
- Requirement
- No shared passwords; all access logged; contractor offboarded cleanly
Part 1 — access matrix
Create a table: Person, hosts allowed, auth method, sudo scope, tunnel allowed?
Model solution
| Person | Hosts | Auth | Sudo | Tunnels |
|---|---|---|---|---|
| Marcus | All via bastion | Ed25519 + passphrase | Full on infra VMs | Yes — PG, Proxmox |
| Dana | staging web, bastion | Own Ed25519 key | deploy user, no root | Local 8080→staging only |
| Alex | staging web only | Own key, expires Mar 31 | deploy, no prod | No DB tunnels |
Part 2 — key lifecycle policy
Write bullet points covering: key generation standard, passphrase requirement, rotation interval, offboarding within 24h, break-glass key storage.
Sample policy
- Ed25519 only; minimum 15-character passphrase; stored in OS keychain
- Annual rotation or immediately on laptop compromise
- Offboarding: remove all
authorized_keyslines; revoke VPN; audit auth.log for 30 days prior - Break-glass: second key in sealed envelope in Edmonton office safe; usage requires owner notification
- No private keys on USB drives or Slack
Part 3 — sample sshd + config snippets
Provide bastion sshd_config.d drop-in and one ~/.ssh/config stanza for Dana (staging only).
Sample snippets
# Bastion — /etc/ssh/sshd_config.d/50-bastion.conf
AllowUsers marcus dana alex
PasswordAuthentication no
AllowTcpForwarding yes
GatewayPorts no
# Dana laptop — ~/.ssh/config
Host workshop-staging
HostName 10.20.0.11
User deploy
IdentityFile ~/.ssh/dana_ed25519
ProxyJump bastion.workshopco.ca
IdentitiesOnly yes
What's next?
Book 7 zooms out to cloud infrastructure — where Workshop Co. might host DR, when to leave the basement, and Canadian data sovereignty choices.
Book 6 complete
You can administer Linux servers with keys, config files, hardened sshd, bastion hops, tunnels, and a written access policy — the standard toolkit for Canadian SMB infrastructure.