From owner-freebsd-questions@freebsd.org  Thu Nov 21 23:52:40 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7707E1CE5C7
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Thu, 21 Nov 2019 23:52:40 +0000 (UTC) (envelope-from dvoich@aim.com)
Received: from sonic316-21.consmr.mail.ne1.yahoo.com
 (sonic316-21.consmr.mail.ne1.yahoo.com [66.163.187.147])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 47JxFM1FGbz46XJ
 for <freebsd-questions@freebsd.org>; Thu, 21 Nov 2019 23:52:38 +0000 (UTC)
 (envelope-from dvoich@aim.com)
X-YMail-OSG: ZjQLfdwVM1mjWt_y9o_cxWEm8LnEiXkAQDENlT0jvA9MeHFuVoVPkLGSrAndBdR
 NGGuu4zZkY12w3KyJnDiltfMbEQyELzS.VjecSmdiaXswzoT17kZ6xlDlxxrw7L7JbytuQlRzMQJ
 1lUN82X8VdBqmgND3PSIzQuzKlA_cSey5vnZ7mnowjEfTv5c757RAg.I8XOxKRFun2UD2tr31yjI
 GQr3W0sooo6.tHT6ewgXFOBW1BmCau96DW49RZWqT91AnI.KkgDQeHMkQWGd8rF5BO_iDOzybPRM
 osN6pTOTuIULqxDlGRFKur9oBe7LR14xHh9zlZSvcqhrullTXsRDKMKFLPpXc7lp65zX8ULnyQ6F
 yNW_FFq1_2e6X8sFRqTcUUaWausv3qJlmPmtWafa38zu0ZtUYq_sEiUGWKerpKdYbOHbpA16rMHn
 sqfMwTOp4L8txADbiWNLhSZlYkHdTufwaJAW0IKznq1j1lBHcZZykN8fzx7fc_Dn_w9KzdGcaRva
 3We3p2iBhkpXkXb8AFhXF7XNE2S9onM0KSdUrsfSn.vbPqiDmzbXSMOg4.NnPPoYUxoJqdCNhCYb
 79FkqngQRIafFRN.aZFHs6bOEp1b5TFj2HKNRDhSk4oMRN3fsAR17ad94G72a3THMPLk1Z9qBdVB
 oOolEWJu5.db1L90ycg830y1wACvOUhKWjysmcSUI8Bvg8wpaqCIYHf8iShqcqyr38sRwuNe2mHP
 HryeVADSH2Bq9nfApSSkBHh5M8B.NaixCUmMwo_EcpyCVVC36yEKA0Y_BgU6QkVq47Q2WtwwPmZU
 sughjActa.QT6td5CAZ8dLnLjfW4JmgsXJCvv7m5_MfogKsE4X6EUidegrRUxoz5FBpfH9eNq1fS
 B03j97z_RdBn7Gz0CKTTnvlj2u2KgVURe6ouNnLa3Vnr31EA2Am30u.waqM1pNBcg3pnvGoRdWuX
 Mlk7Lx9Ym0D6NACWK4Pf6TWy1qxeDmqV_YwJ7RSdWO0oHO1p_in9OEPZPjB7TfnJoA_qJZTohGJ6
 Vz7LE1t_77vBTImEn4Zsp8jlR_ckmxL8NyH_UkTSU7sFYpsSrC_Q2fza06_wJziiZrU.MmVZDvhM
 FpxHJ63Ygairw7wjMCQWXHJU8SK8tUuPlX2LF9ljJ5aT65mpdpaQ7n3DD3Uzs17kpbykqvAlSsJb
 55vFDrM0Q8FL0zcZKKjoHFtIBQm_HfFRc8YAS9m5IojxfWPW7BEgh5Yo9ku6xIxtT0vqeSOcoQl5
 0wfYknsdkPY8dVduYkzpz9_m.5XGG.mYa7kYjkOPl4OROZkvqGzpJSfwA6hY6ltIwFq8CwJgDA.j
 AuSankTwO_Hi4cjOTYLwQNhxJgUh.fj2qpRR_EsPiW14z_NII85m5ymZkO3kN73wv
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic316.consmr.mail.ne1.yahoo.com with HTTP; Thu, 21 Nov 2019 23:52:37 +0000
Received: by smtp432.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA
 ID 913ff7813d0056d9b4c6af42cc90e3eb; 
 Thu, 21 Nov 2019 23:52:35 +0000 (UTC)
Date: Thu, 21 Nov 2019 18:52:33 -0500
From: "Vlad D. Markov" <dvoich@aim.com>
To: Walter Parker <walterp@gmail.com>
Cc: freebsd-questions@freebsd.org
Subject: Re: SSH certificates
Message-Id: <20191121185233.b43d056e0212c2b8c3d25b9b@aim.com>
In-Reply-To: <CAMPTd_Cm_HDvMODsY=wHd4tzhbo126K0MKrJYGh4gmp=dHHHpQ@mail.gmail.com>
References: <mailman.99.1574337604.50155.freebsd-questions@freebsd.org>
 <CAMPTd_Cm_HDvMODsY=wHd4tzhbo126K0MKrJYGh4gmp=dHHHpQ@mail.gmail.com>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; amd64-portbld-freebsd12.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 47JxFM1FGbz46XJ
X-Spamd-Bar: +
X-Spamd-Result: default: False [1.16 / 15.00]; ARC_NA(0.00)[];
 R_DKIM_ALLOW(-0.20)[aim.com:s=a2048]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[aim.com];
 R_SPF_ALLOW(-0.20)[+ip4:66.163.184.0/21];
 MIME_GOOD(-0.10)[text/plain]; MV_CASE(0.50)[];
 NEURAL_SPAM_MEDIUM(0.72)[0.723,0]; IP_SCORE_FREEMAIL(0.00)[];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[aim.com:+];
 RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[147.187.163.66.list.dnswl.org : 127.0.5.0];
 DMARC_POLICY_ALLOW(-0.50)[aim.com,reject];
 RCVD_TLS_LAST(0.00)[]; FREEMAIL_TO(0.00)[gmail.com];
 NEURAL_SPAM_LONG(0.94)[0.936,0]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[aim.com];
 ASN(0.00)[asn:36646, ipnet:66.163.184.0/21, country:US];
 MID_RHS_MATCH_FROM(0.00)[];
 IP_SCORE(0.00)[ip: (4.34), ipnet: 66.163.184.0/21(1.23), asn: 36646(0.98),
 country: US(-0.05)]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 23:52:40 -0000

On Thu, 21 Nov 2019 15:09:48 -0800
Walter Parker <walterp@gmail.com> wrote:

> >
> >
> > Message: 3
> > Date: Thu, 21 Nov 2019 10:41:40 +0100
> > From: Julien Cigar <julien@perdition.city>
> > To: freebsd-questions@freebsd.org
> > Subject: SSH certificates
> > Message-ID: <20191121094140.GA1374@p52s>
> > Content-Type: text/plain; charset=utf-8
> >
> > Hello,
> >
> > I'd like to setup an automated mechanism to replace SSH keys and
> > autorized_keys management with SSH certificates. Basically every member
> > of the team who arrives in the morning should authenticate to an
> > authority (some daemon in a very secure jail which implement a local CA
> > + key sign) and should receive back a signed certificate with a validity
> > period of x hours.
> >
> > After digging a little I found https://smallstep.com/certificates/
> > and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm
> > wondering if there were others similar tools ..?
> >
> > Thanks!
> >
> > Julien
> >
> >
> > --
> > Julien Cigar
> > Belgian Biodiversity Platform (http://www.biodiversity.be)
> > PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
> > No trees were killed in the creation of this message.
> > However, many electrons were terribly inconvenienced.
> >
> >
> 
> Look at https://github.com/gravitational/teleport
> (The source build should work on FreeBSD)
> 
> it is a full security gateway. It uses SSH certificates.
> 
> Or BLESS from Netflix
> https://github.com/Netflix/bless
> 
> It uses an AWS Lambda function to sign SSH public keys.
> 
> 
> Walter
> 
> -- 
> The greatest dangers to liberty lurk in insidious encroachment by men
> of zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> _______________________________________________

This sounds like replacing Kerberos with SSH. The functionality desired was implemented in Kerberos years ago.