Date: Thu, 21 Nov 2019 12:59:51 +0100 From: "Dave Cottlehuber" <dch@skunkwerks.at> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: SSH certificates Message-ID: <6cd8c401-8867-4a8c-be8f-e2d2a69c740f@www.fastmail.com> In-Reply-To: <20191121094140.GA1374@p52s> References: <20191121094140.GA1374@p52s>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 21 Nov 2019, at 10:41, Julien Cigar wrote: > Hello, >=20 > I'd like to setup an automated mechanism to replace SSH keys and > autorized_keys management with SSH certificates. Basically every membe= r > of the team who arrives in the morning should authenticate to an > authority (some daemon in a very secure jail which implement a local C= A > + key sign) and should receive back a signed certificate with a validi= ty > period of x hours. >=20 > After digging a little I found https://smallstep.com/certificates/=20 > and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm > wondering if there were others similar tools ..? >=20 > Thanks! You can do all of that manually and there is a very nice book that cover= s it in ssh mastery or go through these https://man.openbsd.org/ssh-keygen#CERTIFICATES https://blog.habets.se/2011/07/OpenSSH-certificates.html smallstep is very nice and I=E2=80=99ve considered packaging it. At work= we use vault extensively and I haven=E2=80=99t used it for this purpose= but it should do very nicely https://www.vaultproject.io/docs/secrets/s= sh/signed-ssh-certificates.html and it=E2=80=99s already in ports. Personally I am not keen on having such a large trust perimeter but it w= ill likely depend on your preference for automation vs convenience. A+ Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6cd8c401-8867-4a8c-be8f-e2d2a69c740f>