From owner-freebsd-questions@freebsd.org Thu Nov 21 09:41:49 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1D9991B7507 for ; Thu, 21 Nov 2019 09:41:49 +0000 (UTC) (envelope-from SRS0=z97L=ZN=perdition.city=julien@bebif.be) Received: from orval.bbpf.belspo.be (orval.bbpf.belspo.be [193.191.208.90]) by mx1.freebsd.org (Postfix) with ESMTP id 47JZMc0Nrnz48Wq for ; Thu, 21 Nov 2019 09:41:47 +0000 (UTC) (envelope-from SRS0=z97L=ZN=perdition.city=julien@bebif.be) Received: from p52s (unknown [10.209.1.101]) by orval.bbpf.belspo.be (Postfix) with ESMTPS id 879891D502AD for ; Thu, 21 Nov 2019 10:41:45 +0100 (CET) Date: Thu, 21 Nov 2019 10:41:40 +0100 From: Julien Cigar To: freebsd-questions@freebsd.org Subject: SSH certificates Message-ID: <20191121094140.GA1374@p52s> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.12.2 (2019-09-21) X-Rspamd-Queue-Id: 47JZMc0Nrnz48Wq X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of SRS0=z97L=ZN=perdition.city=julien@bebif.be designates 193.191.208.90 as permitted sender) smtp.mailfrom=SRS0=z97L=ZN=perdition.city=julien@bebif.be X-Spamd-Result: default: False [-4.49 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_TRACE(0.00)[0:+]; RCVD_IN_DNSWL_NONE(0.00)[90.208.191.193.list.dnswl.org : 127.0.10.0]; IP_SCORE(-3.09)[ip: (-9.25), ipnet: 193.191.192.0/19(-4.62), asn: 2611(-1.57), country: BE(-0.01)]; FORGED_SENDER(0.30)[julien@perdition.city,SRS0=z97L=ZN=perdition.city=julien@bebif.be]; RCVD_NO_TLS_LAST(0.10)[]; R_DKIM_NA(0.00)[]; MID_RHS_NOT_FQDN(0.50)[]; ASN(0.00)[asn:2611, ipnet:193.191.192.0/19, country:BE]; FROM_NEQ_ENVFROM(0.00)[julien@perdition.city,SRS0=z97L=ZN=perdition.city=julien@bebif.be]; DMARC_NA(0.00)[perdition.city]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Nov 2019 09:41:49 -0000 Hello, I'd like to setup an automated mechanism to replace SSH keys and autorized_keys management with SSH certificates. Basically every member of the team who arrives in the morning should authenticate to an authority (some daemon in a very secure jail which implement a local CA + key sign) and should receive back a signed certificate with a validity period of x hours. After digging a little I found https://smallstep.com/certificates/ and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm wondering if there were others similar tools ..? Thanks! Julien -- Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced.