From owner-freebsd-questions@freebsd.org  Thu Nov 21 12:00:14 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id CC0881BBB9F
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Thu, 21 Nov 2019 12:00:14 +0000 (UTC)
 (envelope-from dch@skunkwerks.at)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com
 [66.111.4.29])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 47JdRK5VH5z4HnK
 for <freebsd-questions@freebsd.org>; Thu, 21 Nov 2019 12:00:13 +0000 (UTC)
 (envelope-from dch@skunkwerks.at)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
 by mailout.nyi.internal (Postfix) with ESMTP id E8FC2223FA
 for <freebsd-questions@freebsd.org>; Thu, 21 Nov 2019 07:00:11 -0500 (EST)
Received: from imap6 ([10.202.2.56])
 by compute7.internal (MEProxy); Thu, 21 Nov 2019 07:00:11 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at;
 h=mime-version:message-id:in-reply-to:references:date:from:to
 :subject:content-type:content-transfer-encoding; s=fm3; bh=wrkgP
 R7vo09NUrDMzyQ+BeFQfyQWOhX/dN2w8IopUy4=; b=SIf4y24HWltPwy8J95M5e
 2bfo/u1idmsSEKdxxLhsi3ze0CsgSejbmMFiU3ksGup71iWvKm9OxUT+8FupTbX4
 LKWrrSHtbhYp46xTN17rNA/A6PR4rwWHYHP91d+eu3C3YIs8jeJE9TS+YWEzzeXt
 MXGTNUa7hDWlWKZAQbPTPdvZIlDaNgJdGZlJQ+qGd6/i08KdSnSXX0Im738OUw6r
 gluZU/OVyACnBm559gJc4iz8qq840I1AKlEq3M5CI226kSl+B1K5sAlj08BzHxUl
 jfjoHEJHhB8kX6fBpHwtyGPtiWjFyAAHhlnjmcvopSL1Y0vqwV59CK3Mmdx4sYds
 Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm1; bh=wrkgPR7vo09NUrDMzyQ+BeFQfyQWOhX/dN2w8IopU
 y4=; b=vghrnuzDinFjoj3o6JMJXTSnlYJjqpmaGPbUluLRGX/EE4Ai18E6j9NVW
 v920MoAZwp4z0jBhkUm4+7PC2htVmArK8NtrbPbgachJd6dGz/ssJ4b9xrOkP9RP
 kyMjsxxU60+A7nERbOM5eAGYLWavfC3s7WNA+OT6IcVkt7qKY3OXF3IwL1vwF7gO
 8OUmqzg4YJKpCwLZ/IoSR4qgWGEWoQq8ZOOO/K9LeSqgk+Auee8ky4Gc6SHYMimx
 00mPKP266MuU0ox8kivR2MjPgc+b/6Oxo6yqxFpSX9CCve+X6+4FB+HBWuXhL7xy
 ZSn7nk7VfsI0zYSgj/j4uFfB5nsYQ==
X-ME-Sender: <xms:S3zWXdIMp9Tj9IQuar9a3FXRZdHpVTFD1cuj2yHiIYU9PwiFE1_OVQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudehvddgfeeiucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth
 hqredtreerjeenucfhrhhomhepfdffrghvvgcuvehothhtlhgvhhhusggvrhdfuceouggt
 hhesshhkuhhnkhifvghrkhhsrdgrtheqnecuffhomhgrihhnpehvrghulhhtphhrohhjvg
 gtthdrihhopdhsmhgrlhhlshhtvghprdgtohhmpdhhrggsvghtshdrshgvpdhophgvnhgs
 shgurdhorhhgnecurfgrrhgrmhepmhgrihhlfhhrohhmpegutghhsehskhhunhhkfigvrh
 hkshdrrghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:S3zWXYlFpKlMif79Q1rtJLrq_VKRgvuk5lEwYTXYt9INAo0gJsAcmQ>
 <xmx:S3zWXWy24U24g_J7XyPyuXuvt5gjUyE7BCXGMHMbJd6q7vQ9eO2lbg>
 <xmx:S3zWXSsnOvoOqImPVWqN0Ta0dMSXOul2ndo-h3Uwrh737UsAOONPmA>
 <xmx:S3zWXW2p3JwDbB3Lw__H8Rw950rI4XGU6zFjHAnTGJcqRj38wlRWNA>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
 id 7F9ED1400A2; Thu, 21 Nov 2019 07:00:11 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-578-g826f590-fmstable-20191119v1
Mime-Version: 1.0
Message-Id: <6cd8c401-8867-4a8c-be8f-e2d2a69c740f@www.fastmail.com>
In-Reply-To: <20191121094140.GA1374@p52s>
References: <20191121094140.GA1374@p52s>
Date: Thu, 21 Nov 2019 12:59:51 +0100
From: "Dave Cottlehuber" <dch@skunkwerks.at>
To: freebsd-questions <freebsd-questions@freebsd.org>
Subject: Re: SSH certificates
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 47JdRK5VH5z4HnK
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=skunkwerks.at header.s=fm3 header.b=SIf4y24H;
 dkim=pass header.d=messagingengine.com header.s=fm1 header.b=vghrnuzD;
 dmarc=none;
 spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 66.111.4.29
 as permitted sender) smtp.mailfrom=dch@skunkwerks.at
X-Spamd-Result: default: False [-5.08 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm3,messagingengine.com:s=fm1];
 XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:66.111.4.29];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 DMARC_NA(0.00)[skunkwerks.at]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[4];
 IP_SCORE(-3.49)[ip: (-9.83), ipnet: 66.111.4.0/24(-4.87), asn: 11403(-2.68),
 country: US(-0.05)]; TO_DN_ALL(0.00)[];
 DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+];
 MV_CASE(0.50)[];
 RCVD_IN_DNSWL_LOW(-0.10)[29.4.111.66.list.dnswl.org : 127.0.5.1];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US];
 RCVD_TLS_LAST(0.00)[]; MID_RHS_WWW(0.50)[]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 12:00:15 -0000



On Thu, 21 Nov 2019, at 10:41, Julien Cigar wrote:
> Hello,
>=20
> I'd like to setup an automated mechanism to replace SSH keys and
> autorized_keys management with SSH certificates. Basically every membe=
r
> of the team who arrives in the morning should authenticate to an
> authority (some daemon in a very secure jail which implement a local C=
A
> + key sign) and should receive back a signed certificate with a validi=
ty
> period of x hours.
>=20
> After digging a little I found https://smallstep.com/certificates/=20
> and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm
> wondering if there were others similar tools ..?
>=20
> Thanks!

You can do all of that manually and there is a very nice book that cover=
s it in ssh mastery or go through these

https://man.openbsd.org/ssh-keygen#CERTIFICATES
https://blog.habets.se/2011/07/OpenSSH-certificates.html

smallstep is very nice and I=E2=80=99ve considered packaging it. At work=
 we use vault extensively and I haven=E2=80=99t used it for this purpose=
 but it should do very nicely https://www.vaultproject.io/docs/secrets/s=
sh/signed-ssh-certificates.html and it=E2=80=99s already in ports.

Personally I am not keen on having such a large trust perimeter but it w=
ill likely depend on your preference for automation vs convenience.

A+
Dave