Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 Nov 2019 12:59:51 +0100
From:      "Dave Cottlehuber" <dch@skunkwerks.at>
To:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: SSH certificates
Message-ID:  <6cd8c401-8867-4a8c-be8f-e2d2a69c740f@www.fastmail.com>
In-Reply-To: <20191121094140.GA1374@p52s>
References:  <20191121094140.GA1374@p52s>

next in thread | previous in thread | raw e-mail | index | archive | help


On Thu, 21 Nov 2019, at 10:41, Julien Cigar wrote:
> Hello,
>=20
> I'd like to setup an automated mechanism to replace SSH keys and
> autorized_keys management with SSH certificates. Basically every membe=
r
> of the team who arrives in the morning should authenticate to an
> authority (some daemon in a very secure jail which implement a local C=
A
> + key sign) and should receive back a signed certificate with a validi=
ty
> period of x hours.
>=20
> After digging a little I found https://smallstep.com/certificates/=20
> and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm
> wondering if there were others similar tools ..?
>=20
> Thanks!

You can do all of that manually and there is a very nice book that cover=
s it in ssh mastery or go through these

https://man.openbsd.org/ssh-keygen#CERTIFICATES
https://blog.habets.se/2011/07/OpenSSH-certificates.html

smallstep is very nice and I=E2=80=99ve considered packaging it. At work=
 we use vault extensively and I haven=E2=80=99t used it for this purpose=
 but it should do very nicely https://www.vaultproject.io/docs/secrets/s=
sh/signed-ssh-certificates.html and it=E2=80=99s already in ports.

Personally I am not keen on having such a large trust perimeter but it w=
ill likely depend on your preference for automation vs convenience.

A+
Dave



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6cd8c401-8867-4a8c-be8f-e2d2a69c740f>