On Tue, Dec 26, 2017 at 3:09 AM, John Devitofranceschi <jdvf@xxxxxxxxxxxxx> wrote: > "We just need the workflows to do the signing :-)” > > I’m interested in that bit, though! Hi John, we rolled out SSH certs for an organization using G-Suite for SSO - whereby the users would run a CLI tool that would launch an OAuth login (the first time), generate a new key, then send the public key and ID Token to a CA which would stamp out a cert, and also return other SSH conf for them. We open sourced both the server and client components here: https://github.com/continusec/geecert It would likely be easy to add additional sources for authentication. What that code doesn't do yet, is handle workflow well for host certificates - though I did add an experimental HTTP server component which would connect to a whitelist of hosts, and return a cert for the public key it sees, appropriate for invocation from a cronjob on a host to fetch its own cert. We'll likely start rolling this out for another customer in the New Year and will update the docs then. Hope that's helpful. Cheers, Adam _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev