Date: Thu, 21 Nov 2019 18:52:33 -0500 From: "Vlad D. Markov" <dvoich@aim.com> To: Walter Parker <walterp@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: SSH certificates Message-ID: <20191121185233.b43d056e0212c2b8c3d25b9b@aim.com> In-Reply-To: <CAMPTd_Cm_HDvMODsY=wHd4tzhbo126K0MKrJYGh4gmp=dHHHpQ@mail.gmail.com> References: <mailman.99.1574337604.50155.freebsd-questions@freebsd.org> <CAMPTd_Cm_HDvMODsY=wHd4tzhbo126K0MKrJYGh4gmp=dHHHpQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 21 Nov 2019 15:09:48 -0800 Walter Parker <walterp@gmail.com> wrote: > > > > > > Message: 3 > > Date: Thu, 21 Nov 2019 10:41:40 +0100 > > From: Julien Cigar <julien@perdition.city> > > To: freebsd-questions@freebsd.org > > Subject: SSH certificates > > Message-ID: <20191121094140.GA1374@p52s> > > Content-Type: text/plain; charset=utf-8 > > > > Hello, > > > > I'd like to setup an automated mechanism to replace SSH keys and > > autorized_keys management with SSH certificates. Basically every member > > of the team who arrives in the morning should authenticate to an > > authority (some daemon in a very secure jail which implement a local CA > > + key sign) and should receive back a signed certificate with a validity > > period of x hours. > > > > After digging a little I found https://smallstep.com/certificates/ > > and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm > > wondering if there were others similar tools ..? > > > > Thanks! > > > > Julien > > > > > > -- > > Julien Cigar > > Belgian Biodiversity Platform (http://www.biodiversity.be) > > PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 > > No trees were killed in the creation of this message. > > However, many electrons were terribly inconvenienced. > > > > > > Look at https://github.com/gravitational/teleport > (The source build should work on FreeBSD) > > it is a full security gateway. It uses SSH certificates. > > Or BLESS from Netflix > https://github.com/Netflix/bless > > It uses an AWS Lambda function to sign SSH public keys. > > > Walter > > -- > The greatest dangers to liberty lurk in insidious encroachment by men > of zeal, well-meaning but without understanding. -- Justice Louis D. > Brandeis > _______________________________________________ This sounds like replacing Kerberos with SSH. The functionality desired was implemented in Kerberos years ago.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191121185233.b43d056e0212c2b8c3d25b9b>