Vlad D. Markov
dvoich at aim.com
Thu Nov 21 23:52:40 UTC 2019
On Thu, 21 Nov 2019 15:09:48 -0800
Walter Parker <walterp at gmail.com> wrote:
> > Message: 3
> > Date: Thu, 21 Nov 2019 10:41:40 +0100
> > From: Julien Cigar <julien at perdition.city>
> > To: freebsd-questions at freebsd.org
> > Subject: SSH certificates
> > Message-ID: <20191121094140.GA1374 at p52s>
> > Content-Type: text/plain; charset=utf-8
> > Hello,
> > I'd like to setup an automated mechanism to replace SSH keys and
> > autorized_keys management with SSH certificates. Basically every member
> > of the team who arrives in the morning should authenticate to an
> > authority (some daemon in a very secure jail which implement a local CA
> > + key sign) and should receive back a signed certificate with a validity
> > period of x hours.
> > After digging a little I found https://smallstep.com/certificates/
> > and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm
> > wondering if there were others similar tools ..?
> > Thanks!
> > Julien
> > --
> > Julien Cigar
> > Belgian Biodiversity Platform (http://www.biodiversity.be)
> > PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0
> > No trees were killed in the creation of this message.
> > However, many electrons were terribly inconvenienced.
> Look at https://github.com/gravitational/teleport
> (The source build should work on FreeBSD)
> it is a full security gateway. It uses SSH certificates.
> Or BLESS from Netflix
> It uses an AWS Lambda function to sign SSH public keys.
> The greatest dangers to liberty lurk in insidious encroachment by men
> of zeal, well-meaning but without understanding. -- Justice Louis D.
This sounds like replacing Kerberos with SSH. The functionality desired was implemented in Kerberos years ago.
More information about the freebsd-questions