SSH certificates

Julien Cigar julien at
Fri Nov 22 09:35:17 UTC 2019

On Thu, Nov 21, 2019 at 12:59:51PM +0100, Dave Cottlehuber wrote:
> On Thu, 21 Nov 2019, at 10:41, Julien Cigar wrote:
> > Hello,
> > 
> > I'd like to setup an automated mechanism to replace SSH keys and
> > autorized_keys management with SSH certificates. Basically every member
> > of the team who arrives in the morning should authenticate to an
> > authority (some daemon in a very secure jail which implement a local CA
> > + key sign) and should receive back a signed certificate with a validity
> > period of x hours.
> > 
> > After digging a little I found 
> > and (which aren't packaged BTW) but I'm
> > wondering if there were others similar tools ..?
> > 
> > Thanks!
> You can do all of that manually and there is a very nice book that covers it in ssh mastery or go through these

Thank you, I know I can do that manually but I was looking for a
lightweight existing solution: clients should be able to auth through
CLI or through a web portal for example (and I don't have time to
redevelop those unfortunately..)

> smallstep is very nice and I’ve considered packaging it. At work we use vault extensively and I haven’t used it for this purpose but it should do very nicely and it’s already in ports.

Vault was already on my TODO list, I'll put it on top :)

> Personally I am not keen on having such a large trust perimeter but it will likely depend on your preference for automation vs convenience.

ATM I'm managing authorized_keys with Saltstack, it works but it's far
from practical..

> A+
> Dave
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

Julien Cigar
Belgian Biodiversity Platform (
PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.

More information about the freebsd-questions mailing list