Date: Thu, 21 Nov 2019 17:26:44 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: Walter Parker <walterp@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: SSH certificates Message-ID: <CAHu1Y73A_BZ9C5R77GpQw5ebaWcCkPtUZVagLonW6NtqeNsydQ@mail.gmail.com> In-Reply-To: <CAMPTd_Cm_HDvMODsY=wHd4tzhbo126K0MKrJYGh4gmp=dHHHpQ@mail.gmail.com> References: <mailman.99.1574337604.50155.freebsd-questions@freebsd.org> <CAMPTd_Cm_HDvMODsY=wHd4tzhbo126K0MKrJYGh4gmp=dHHHpQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Key signing is a solution to a different problem. The request is for strong auth to a CA which issues a time-limited SSH certificate with an ephemeral key. On Thu, Nov 21, 2019 at 3:10 PM Walter Parker <walterp@gmail.com> wrote: > > > > > > Message: 3 > > Date: Thu, 21 Nov 2019 10:41:40 +0100 > > From: Julien Cigar <julien@perdition.city> > > To: freebsd-questions@freebsd.org > > Subject: SSH certificates > > Message-ID: <20191121094140.GA1374@p52s> > > Content-Type: text/plain; charset=3Dutf-8 > > > > Hello, > > > > I'd like to setup an automated mechanism to replace SSH keys and > > autorized_keys management with SSH certificates. Basically every member > > of the team who arrives in the morning should authenticate to an > > authority (some daemon in a very secure jail which implement a local CA > > + key sign) and should receive back a signed certificate with a validit= y > > period of x hours. > > > > After digging a little I found https://smallstep.com/certificates/ > > and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm > > wondering if there were others similar tools ..? > > > > Thanks! > > > > Julien > > > > > > -- > > Julien Cigar > > Belgian Biodiversity Platform (http://www.biodiversity.be) > > PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 > > No trees were killed in the creation of this message. > > However, many electrons were terribly inconvenienced. > > > > > > Look at https://github.com/gravitational/teleport > (The source build should work on FreeBSD) > > it is a full security gateway. It uses SSH certificates. > > Or BLESS from Netflix > https://github.com/Netflix/bless > > It uses an AWS Lambda function to sign SSH public keys. > > > Walter > > -- > The greatest dangers to liberty lurk in insidious encroachment by men > of zeal, well-meaning but without understanding. -- Justice Louis D. > Brandeis > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y73A_BZ9C5R77GpQw5ebaWcCkPtUZVagLonW6NtqeNsydQ>