Re: OpenSSH key signing service?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 




> On Dec 26, 2017, at 2:09 PM, Stef Bon <stefbon@xxxxxxxxx> wrote:
> 
> 2017-12-25 23:37 GMT+01:00 Peter Moody <mindrot@xxxxxxxx>:
>>> 
> 
> I perfectly understand that central management of keys is when
> handling much hosts and many users is a good solution,
> but I think it's a bit odd.
> 
> Please correct me if I'm wrong, the host receives from the authority
> keys, and uses those to do the signature checking, or the creation of
> a signature.
> Keys are send from the authority to the host.
> But why don't let the authority handle everything with the server to
> connect to, keymaterial stays on the cert authority.
> 


I do see your point and there are products out there that provide secure
gateways like you describe. They include all kinds of other features like 
privilege escalation, timed access, session logging, etc.

I’m more interested in a web service that can sign a user’s personal key (only 
the public key needs to be given then), provide short-lived ssh credentials to 
enable access to ’special’ hosts (possibly with a different ca key), and be used 
in the host staging process to sign host keys.  

The user may never even need to directly handle the short-lived credentials. 
The service would just download them into a well-known area and provide the 
user with a link to execute a local (to the user) ssh client with the key 
information included in the command line.

This would be a way to keep the signing keys secured while allowing a high 
degree of self-service. Kind of like how X.509 certificate authorities work.


jd

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux