Re: OpenSSH key signing service?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, Dec 26, 2017 at 3:09 AM, John Devitofranceschi
<jdvf@xxxxxxxxxxxxx> wrote:
> "We just need the workflows to do the signing :-)”
>
> I’m interested in that bit, though!

Hi John, we rolled out SSH certs for an organization using G-Suite for
SSO - whereby the users would run a CLI tool that would launch an
OAuth login (the first time), generate a new key, then send the public
key and ID Token to a CA which would stamp out a cert, and also return
other SSH conf for them. We open sourced both the server and client
components here: https://github.com/continusec/geecert

It would likely be easy to add additional sources for authentication.
What that code doesn't do yet, is handle workflow well for host
certificates - though I did add an experimental HTTP server component
which would connect to a whitelist of hosts, and return a cert for the
public key it sees, appropriate for invocation from a cronjob on a
host to fetch its own cert. We'll likely start rolling this out for
another customer in the New Year and will update the docs then.

Hope that's helpful.

Cheers, Adam

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux