From owner-freebsd-questions@freebsd.org Fri Nov 22 09:38:06 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C174D1B3370 for ; Fri, 22 Nov 2019 09:38:06 +0000 (UTC) (envelope-from SRS0=Qo/I=ZO=perdition.city=julien@bebif.be) Received: from orval.bbpf.belspo.be (orval.bbpf.belspo.be [193.191.208.90]) by mx1.freebsd.org (Postfix) with ESMTP id 47KBDs6Ncsz4Yqw for ; Fri, 22 Nov 2019 09:38:05 +0000 (UTC) (envelope-from SRS0=Qo/I=ZO=perdition.city=julien@bebif.be) Received: from p52s (unknown [10.209.1.101]) by orval.bbpf.belspo.be (Postfix) with ESMTPS id 372771D50345; Fri, 22 Nov 2019 10:38:05 +0100 (CET) Date: Fri, 22 Nov 2019 10:38:04 +0100 From: Julien Cigar To: Michael Sierchio Cc: Walter Parker , FreeBSD Questions Subject: Re: SSH certificates Message-ID: <20191122093804.GD1402@p52s> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: User-Agent: Mutt/1.12.2 (2019-09-21) X-Rspamd-Queue-Id: 47KBDs6Ncsz4Yqw X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of SRS0=Qo/I=ZO=perdition.city=julien@bebif.be designates 193.191.208.90 as permitted sender) smtp.mailfrom=SRS0=Qo/I=ZO=perdition.city=julien@bebif.be X-Spamd-Result: default: False [-4.45 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+mx:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[perdition.city]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[90.208.191.193.list.dnswl.org : 127.0.10.0]; IP_SCORE(-3.05)[ip: (-9.13), ipnet: 193.191.192.0/19(-4.56), asn: 2611(-1.55), country: BE(-0.01)]; FORGED_SENDER(0.30)[julien@perdition.city,SRS0=Qo/I=ZO=perdition.city=julien@bebif.be]; RCVD_NO_TLS_LAST(0.10)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:2611, ipnet:193.191.192.0/19, country:BE]; MID_RHS_NOT_FQDN(0.50)[]; FROM_NEQ_ENVFROM(0.00)[julien@perdition.city,SRS0=Qo/I=ZO=perdition.city=julien@bebif.be]; FREEMAIL_CC(0.00)[gmail.com] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Nov 2019 09:38:06 -0000 On Thu, Nov 21, 2019 at 05:26:44PM -0800, Michael Sierchio wrote: > Key signing is a solution to a different problem. The request is for > strong auth to a CA which issues a time-limited SSH certificate with an > ephemeral key. Indeed, that's exactly what I'm looking for. Kerberos is complementary >=20 > On Thu, Nov 21, 2019 at 3:10 PM Walter Parker wrote: >=20 > > > > > > > > > Message: 3 > > > Date: Thu, 21 Nov 2019 10:41:40 +0100 > > > From: Julien Cigar > > > To: freebsd-questions@freebsd.org > > > Subject: SSH certificates > > > Message-ID: <20191121094140.GA1374@p52s> > > > Content-Type: text/plain; charset=3Dutf-8 > > > > > > Hello, > > > > > > I'd like to setup an automated mechanism to replace SSH keys and > > > autorized_keys management with SSH certificates. Basically every memb= er > > > of the team who arrives in the morning should authenticate to an > > > authority (some daemon in a very secure jail which implement a local = CA > > > + key sign) and should receive back a signed certificate with a valid= ity > > > period of x hours. > > > > > > After digging a little I found https://smallstep.com/certificates/ > > > and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm > > > wondering if there were others similar tools ..? > > > > > > Thanks! > > > > > > Julien > > > > > > > > > -- > > > Julien Cigar > > > Belgian Biodiversity Platform (http://www.biodiversity.be) > > > PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 > > > No trees were killed in the creation of this message. > > > However, many electrons were terribly inconvenienced. > > > > > > > > > > Look at https://github.com/gravitational/teleport > > (The source build should work on FreeBSD) > > > > it is a full security gateway. It uses SSH certificates. > > > > Or BLESS from Netflix > > https://github.com/Netflix/bless > > > > It uses an AWS Lambda function to sign SSH public keys. > > > > > > Walter > > > > -- > > The greatest dangers to liberty lurk in insidious encroachment by men > > of zeal, well-meaning but without understanding. -- Justice Louis D. > > Brandeis > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > > freebsd-questions-unsubscribe@freebsd.org" > > >=20 >=20 > --=20 >=20 > "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool i= s no > wiser, but an intelligent person requires only two thousand five hundred." >=20 > - The Mah=C4=81bh=C4=81rata > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" --=20 Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced.