Date: Fri, 22 Nov 2019 10:35:14 +0100 From: Julien Cigar <julien@perdition.city> To: Dave Cottlehuber <dch@skunkwerks.at> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: SSH certificates Message-ID: <20191122093514.GB1402@p52s> In-Reply-To: <6cd8c401-8867-4a8c-be8f-e2d2a69c740f@www.fastmail.com> References: <20191121094140.GA1374@p52s> <6cd8c401-8867-4a8c-be8f-e2d2a69c740f@www.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 21, 2019 at 12:59:51PM +0100, Dave Cottlehuber wrote: > > > On Thu, 21 Nov 2019, at 10:41, Julien Cigar wrote: > > Hello, > > > > I'd like to setup an automated mechanism to replace SSH keys and > > autorized_keys management with SSH certificates. Basically every member > > of the team who arrives in the morning should authenticate to an > > authority (some daemon in a very secure jail which implement a local CA > > + key sign) and should receive back a signed certificate with a validity > > period of x hours. > > > > After digging a little I found https://smallstep.com/certificates/ > > and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm > > wondering if there were others similar tools ..? > > > > Thanks! > > You can do all of that manually and there is a very nice book that covers it in ssh mastery or go through these > > https://man.openbsd.org/ssh-keygen#CERTIFICATES > https://blog.habets.se/2011/07/OpenSSH-certificates.html > Thank you, I know I can do that manually but I was looking for a lightweight existing solution: clients should be able to auth through CLI or through a web portal for example (and I don't have time to redevelop those unfortunately..) > smallstep is very nice and I’ve considered packaging it. At work we use vault extensively and I haven’t used it for this purpose but it should do very nicely https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html and it’s already in ports. > Vault was already on my TODO list, I'll put it on top :) > Personally I am not keen on having such a large trust perimeter but it will likely depend on your preference for automation vs convenience. > ATM I'm managing authorized_keys with Saltstack, it works but it's far from practical.. > A+ > Dave > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191122093514.GB1402>