From owner-freebsd-questions@freebsd.org Fri Nov 22 09:35:17 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DF83E1B30EC for ; Fri, 22 Nov 2019 09:35:17 +0000 (UTC) (envelope-from SRS0=Qo/I=ZO=perdition.city=julien@bebif.be) Received: from orval.bbpf.belspo.be (orval.bbpf.belspo.be [193.191.208.90]) by mx1.freebsd.org (Postfix) with ESMTP id 47KB9d0Bpqz4YdQ for ; Fri, 22 Nov 2019 09:35:16 +0000 (UTC) (envelope-from SRS0=Qo/I=ZO=perdition.city=julien@bebif.be) Received: from p52s (unknown [10.209.1.101]) by orval.bbpf.belspo.be (Postfix) with ESMTPS id 3E2521D5033C; Fri, 22 Nov 2019 10:35:15 +0100 (CET) Date: Fri, 22 Nov 2019 10:35:14 +0100 From: Julien Cigar To: Dave Cottlehuber Cc: freebsd-questions Subject: Re: SSH certificates Message-ID: <20191122093514.GB1402@p52s> References: <20191121094140.GA1374@p52s> <6cd8c401-8867-4a8c-be8f-e2d2a69c740f@www.fastmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <6cd8c401-8867-4a8c-be8f-e2d2a69c740f@www.fastmail.com> User-Agent: Mutt/1.12.2 (2019-09-21) X-Rspamd-Queue-Id: 47KB9d0Bpqz4YdQ X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of SRS0=Qo/I=ZO=perdition.city=julien@bebif.be designates 193.191.208.90 as permitted sender) smtp.mailfrom=SRS0=Qo/I=ZO=perdition.city=julien@bebif.be X-Spamd-Result: default: False [-4.48 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[perdition.city]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[90.208.191.193.list.dnswl.org : 127.0.10.0]; IP_SCORE(-3.08)[ip: (-9.21), ipnet: 193.191.192.0/19(-4.60), asn: 2611(-1.56), country: BE(-0.01)]; FORGED_SENDER(0.30)[julien@perdition.city,SRS0=Qo/I=ZO=perdition.city=julien@bebif.be]; RCVD_NO_TLS_LAST(0.10)[]; R_DKIM_NA(0.00)[]; MID_RHS_NOT_FQDN(0.50)[]; ASN(0.00)[asn:2611, ipnet:193.191.192.0/19, country:BE]; FROM_NEQ_ENVFROM(0.00)[julien@perdition.city,SRS0=Qo/I=ZO=perdition.city=julien@bebif.be]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Nov 2019 09:35:17 -0000 On Thu, Nov 21, 2019 at 12:59:51PM +0100, Dave Cottlehuber wrote: > > > On Thu, 21 Nov 2019, at 10:41, Julien Cigar wrote: > > Hello, > > > > I'd like to setup an automated mechanism to replace SSH keys and > > autorized_keys management with SSH certificates. Basically every member > > of the team who arrives in the morning should authenticate to an > > authority (some daemon in a very secure jail which implement a local CA > > + key sign) and should receive back a signed certificate with a validity > > period of x hours. > > > > After digging a little I found https://smallstep.com/certificates/ > > and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm > > wondering if there were others similar tools ..? > > > > Thanks! > > You can do all of that manually and there is a very nice book that covers it in ssh mastery or go through these > > https://man.openbsd.org/ssh-keygen#CERTIFICATES > https://blog.habets.se/2011/07/OpenSSH-certificates.html > Thank you, I know I can do that manually but I was looking for a lightweight existing solution: clients should be able to auth through CLI or through a web portal for example (and I don't have time to redevelop those unfortunately..) > smallstep is very nice and I’ve considered packaging it. At work we use vault extensively and I haven’t used it for this purpose but it should do very nicely https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html and it’s already in ports. > Vault was already on my TODO list, I'll put it on top :) > Personally I am not keen on having such a large trust perimeter but it will likely depend on your preference for automation vs convenience. > ATM I'm managing authorized_keys with Saltstack, it works but it's far from practical.. > A+ > Dave > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced.