Re: OpenSSH contract development / patch

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, May 4, 2017 at 5:43 AM, Devin Nate <devin.nate@xxxxxxxxxxx> wrote:
> Additionally, we’re looking for some creative advice around handling thousands of keys in our specific environment.

Hi Devin, have you looked at using openssh certificates to help manage
your key distribution problem? By issuing host certificates signed by
a common CA, it means that your clients need only a single entry in
their known_hosts file, and by issuing user certificates signed by a
common CA, you can simplify management of the authorized_keys file (or
their certificate equivalent, authorized_principals).

While the feature has been around for a while now (and is really
useful), there doesn't seem to be huge amount of documentation around
it. I found the following useful when getting a client of my running
with it: https://ef.gy/hardening-ssh and in their case we ended up
open-sourcing the command-line tool we built that does SSO with their
IdP, fetch a short-lived certificate and then automatically configure
the client SSH to use it: https://github.com/continusec/geecert

Facebook also published a recent article about their use of SSH
certificates here:
https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux