Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 Nov 2019 17:26:44 -0800
From:      Michael Sierchio <kudzu@tenebras.com>
To:        Walter Parker <walterp@gmail.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: SSH certificates
Message-ID:  <CAHu1Y73A_BZ9C5R77GpQw5ebaWcCkPtUZVagLonW6NtqeNsydQ@mail.gmail.com>
In-Reply-To: <CAMPTd_Cm_HDvMODsY=wHd4tzhbo126K0MKrJYGh4gmp=dHHHpQ@mail.gmail.com>
References:  <mailman.99.1574337604.50155.freebsd-questions@freebsd.org> <CAMPTd_Cm_HDvMODsY=wHd4tzhbo126K0MKrJYGh4gmp=dHHHpQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Key signing is a solution to a different problem.  The request is for
strong auth to a CA which issues a time-limited SSH certificate with an
ephemeral key.

On Thu, Nov 21, 2019 at 3:10 PM Walter Parker <walterp@gmail.com> wrote:

> >
> >
> > Message: 3
> > Date: Thu, 21 Nov 2019 10:41:40 +0100
> > From: Julien Cigar <julien@perdition.city>
> > To: freebsd-questions@freebsd.org
> > Subject: SSH certificates
> > Message-ID: <20191121094140.GA1374@p52s>
> > Content-Type: text/plain; charset=3Dutf-8
> >
> > Hello,
> >
> > I'd like to setup an automated mechanism to replace SSH keys and
> > autorized_keys management with SSH certificates. Basically every member
> > of the team who arrives in the morning should authenticate to an
> > authority (some daemon in a very secure jail which implement a local CA
> > + key sign) and should receive back a signed certificate with a validit=
y
> > period of x hours.
> >
> > After digging a little I found https://smallstep.com/certificates/
> > and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm
> > wondering if there were others similar tools ..?
> >
> > Thanks!
> >
> > Julien
> >
> >
> > --
> > Julien Cigar
> > Belgian Biodiversity Platform (http://www.biodiversity.be)
> > PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
> > No trees were killed in the creation of this message.
> > However, many electrons were terribly inconvenienced.
> >
> >
>
> Look at https://github.com/gravitational/teleport
> (The source build should work on FreeBSD)
>
> it is a full security gateway. It uses SSH certificates.
>
> Or BLESS from Netflix
> https://github.com/Netflix/bless
>
> It uses an AWS Lambda function to sign SSH public keys.
>
>
> Walter
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men
> of zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>


--=20

"Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is =
no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mah=C4=81bh=C4=81rata



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y73A_BZ9C5R77GpQw5ebaWcCkPtUZVagLonW6NtqeNsydQ>