Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 21 Nov 2019 15:09:48 -0800
From:      Walter Parker <walterp@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   SSH certificates
Message-ID:  <CAMPTd_Cm_HDvMODsY=wHd4tzhbo126K0MKrJYGh4gmp=dHHHpQ@mail.gmail.com>
In-Reply-To: <mailman.99.1574337604.50155.freebsd-questions@freebsd.org>
References:  <mailman.99.1574337604.50155.freebsd-questions@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
>
>
> Message: 3
> Date: Thu, 21 Nov 2019 10:41:40 +0100
> From: Julien Cigar <julien@perdition.city>
> To: freebsd-questions@freebsd.org
> Subject: SSH certificates
> Message-ID: <20191121094140.GA1374@p52s>
> Content-Type: text/plain; charset=utf-8
>
> Hello,
>
> I'd like to setup an automated mechanism to replace SSH keys and
> autorized_keys management with SSH certificates. Basically every member
> of the team who arrives in the morning should authenticate to an
> authority (some daemon in a very secure jail which implement a local CA
> + key sign) and should receive back a signed certificate with a validity
> period of x hours.
>
> After digging a little I found https://smallstep.com/certificates/
> and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm
> wondering if there were others similar tools ..?
>
> Thanks!
>
> Julien
>
>
> --
> Julien Cigar
> Belgian Biodiversity Platform (http://www.biodiversity.be)
> PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
> No trees were killed in the creation of this message.
> However, many electrons were terribly inconvenienced.
>
>

Look at https://github.com/gravitational/teleport
(The source build should work on FreeBSD)

it is a full security gateway. It uses SSH certificates.

Or BLESS from Netflix
https://github.com/Netflix/bless

It uses an AWS Lambda function to sign SSH public keys.


Walter

-- 
The greatest dangers to liberty lurk in insidious encroachment by men
of zeal, well-meaning but without understanding.   -- Justice Louis D.
Brandeis

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMPTd_Cm_HDvMODsY=wHd4tzhbo126K0MKrJYGh4gmp=dHHHpQ>