SSH certificates

Julien Cigar julien at perdition.city
Fri Nov 22 09:38:06 UTC 2019 

On Thu, Nov 21, 2019 at 05:26:44PM -0800, Michael Sierchio wrote:
> Key signing is a solution to a different problem.  The request is for
> strong auth to a CA which issues a time-limited SSH certificate with an
> ephemeral key.

Indeed, that's exactly what I'm looking for. Kerberos is complementary

> 
> On Thu, Nov 21, 2019 at 3:10 PM Walter Parker <walterp at gmail.com> wrote:
> 
> > >
> > >
> > > Message: 3
> > > Date: Thu, 21 Nov 2019 10:41:40 +0100
> > > From: Julien Cigar <julien at perdition.city>
> > > To: freebsd-questions at freebsd.org
> > > Subject: SSH certificates
> > > Message-ID: <20191121094140.GA1374 at p52s>
> > > Content-Type: text/plain; charset=utf-8
> > >
> > > Hello,
> > >
> > > I'd like to setup an automated mechanism to replace SSH keys and
> > > autorized_keys management with SSH certificates. Basically every member
> > > of the team who arrives in the morning should authenticate to an
> > > authority (some daemon in a very secure jail which implement a local CA
> > > + key sign) and should receive back a signed certificate with a validity
> > > period of x hours.
> > >
> > > After digging a little I found https://smallstep.com/certificates/
> > > and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm
> > > wondering if there were others similar tools ..?
> > >
> > > Thanks!
> > >
> > > Julien
> > >
> > >
> > > --
> > > Julien Cigar
> > > Belgian Biodiversity Platform (http://www.biodiversity.be)
> > > PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
> > > No trees were killed in the creation of this message.
> > > However, many electrons were terribly inconvenienced.
> > >
> > >
> >
> > Look at https://github.com/gravitational/teleport
> > (The source build should work on FreeBSD)
> >
> > it is a full security gateway. It uses SSH certificates.
> >
> > Or BLESS from Netflix
> > https://github.com/Netflix/bless
> >
> > It uses an AWS Lambda function to sign SSH public keys.
> >
> >
> > Walter
> >
> > --
> > The greatest dangers to liberty lurk in insidious encroachment by men
> > of zeal, well-meaning but without understanding.   -- Justice Louis D.
> > Brandeis
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "
> > freebsd-questions-unsubscribe at freebsd.org"
> >
> 
> 
> -- 
> 
> "Well," Brahmā said, "even after ten thousand explanations, a fool is no
> wiser, but an intelligent person requires only two thousand five hundred."
> 
> - The Mahābhārata
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

-- 
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.

More information about the freebsd-questions mailing list