Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 22 Nov 2019 10:38:04 +0100
From:      Julien Cigar <julien@perdition.city>
To:        Michael Sierchio <kudzu@tenebras.com>
Cc:        Walter Parker <walterp@gmail.com>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: SSH certificates
Message-ID:  <20191122093804.GD1402@p52s>
In-Reply-To: <CAHu1Y73A_BZ9C5R77GpQw5ebaWcCkPtUZVagLonW6NtqeNsydQ@mail.gmail.com>
References:  <mailman.99.1574337604.50155.freebsd-questions@freebsd.org> <CAMPTd_Cm_HDvMODsY=wHd4tzhbo126K0MKrJYGh4gmp=dHHHpQ@mail.gmail.com> <CAHu1Y73A_BZ9C5R77GpQw5ebaWcCkPtUZVagLonW6NtqeNsydQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 21, 2019 at 05:26:44PM -0800, Michael Sierchio wrote:
> Key signing is a solution to a different problem.  The request is for
> strong auth to a CA which issues a time-limited SSH certificate with an
> ephemeral key.

Indeed, that's exactly what I'm looking for. Kerberos is complementary

>=20
> On Thu, Nov 21, 2019 at 3:10 PM Walter Parker <walterp@gmail.com> wrote:
>=20
> > >
> > >
> > > Message: 3
> > > Date: Thu, 21 Nov 2019 10:41:40 +0100
> > > From: Julien Cigar <julien@perdition.city>
> > > To: freebsd-questions@freebsd.org
> > > Subject: SSH certificates
> > > Message-ID: <20191121094140.GA1374@p52s>
> > > Content-Type: text/plain; charset=3Dutf-8
> > >
> > > Hello,
> > >
> > > I'd like to setup an automated mechanism to replace SSH keys and
> > > autorized_keys management with SSH certificates. Basically every memb=
er
> > > of the team who arrives in the morning should authenticate to an
> > > authority (some daemon in a very secure jail which implement a local =
CA
> > > + key sign) and should receive back a signed certificate with a valid=
ity
> > > period of x hours.
> > >
> > > After digging a little I found https://smallstep.com/certificates/
> > > and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm
> > > wondering if there were others similar tools ..?
> > >
> > > Thanks!
> > >
> > > Julien
> > >
> > >
> > > --
> > > Julien Cigar
> > > Belgian Biodiversity Platform (http://www.biodiversity.be)
> > > PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
> > > No trees were killed in the creation of this message.
> > > However, many electrons were terribly inconvenienced.
> > >
> > >
> >
> > Look at https://github.com/gravitational/teleport
> > (The source build should work on FreeBSD)
> >
> > it is a full security gateway. It uses SSH certificates.
> >
> > Or BLESS from Netflix
> > https://github.com/Netflix/bless
> >
> > It uses an AWS Lambda function to sign SSH public keys.
> >
> >
> > Walter
> >
> > --
> > The greatest dangers to liberty lurk in insidious encroachment by men
> > of zeal, well-meaning but without understanding.   -- Justice Louis D.
> > Brandeis
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "
> > freebsd-questions-unsubscribe@freebsd.org"
> >
>=20
>=20
> --=20
>=20
> "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool i=
s no
> wiser, but an intelligent person requires only two thousand five hundred."
>=20
> - The Mah=C4=81bh=C4=81rata
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"

--=20
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191122093804.GD1402>