> On Dec 25, 2017, at 2:36 AM, Peter Moody <mindrot@xxxxxxxx> wrote: > > On Sun, Dec 24, 2017 at 9:54 PM, David Newall <openssh@xxxxxxxxxxxxxxx> wrote: >> On 25/12/17 00:11, John Devitofranceschi wrote: >>> >>> Besides ssh.com’s PrivX product, has anyone created a web service that can >>> be used to issue temporary certkeys to authenticated users? >>> >>> Any pointers appreciated! >> >> > > I would agree that using a random service for signing certs is a bad > idea. thankfully there are a few full featured opensource ssh CA's > already available. I have it on good authority that another is going > to be released in the near future as well. Details on these, please? Since that was kind of what I was asking for in the OP :) I have found a couple on github: https://github.com/cloudtools/ssh-cert-authority <https://github.com/cloudtools/ssh-cert-authority> https://github.com/cloudtools/ssh-ca <https://github.com/cloudtools/ssh-ca> (Blargh is right (https://blog.habets.se/2011/07/OpenSSH-certificates.html <https://blog.habets.se/2011/07/OpenSSH-certificates.html>). Googling for this stuff is *hard*:) And I *am* researching this for an enterprise that has strict access control requirements. Not only are we expected to provide evidence of when users accessed systems and for how long, we are also expected to show when access was requested and who approved it. Simply trusting (mostly non-technical) users to do the right thing is never a good idea when auditors and compliance folks are involved. As far as an OpenSSH CA is concerned, I’m thinking of a model akin to the big X.509 CAs for enterprise users to obtain ssh authentication keys. If the keys are never touched by human hands, so much the better. jd
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
