On Dec 26, 2017, at 7:11 PM, John Devitofranceschi <jdvf@xxxxxxxxxxxxx> wrote: >> On Dec 26, 2017, at 2:09 PM, Stef Bon <stefbon@xxxxxxxxx> wrote: >> 2017-12-25 23:37 GMT+01:00 Peter Moody <mindrot@xxxxxxxx>: >>>> >> >> I perfectly understand that central management of keys is when >> handling much hosts and many users is a good solution, >> but I think it's a bit odd. >> >> Please correct me if I'm wrong, the host receives from the authority >> keys, and uses those to do the signature checking, or the creation of >> a signature. >> Keys are send from the authority to the host. >> But why don't let the authority handle everything with the server to >> connect to, keymaterial stays on the cert authority. >> > > > I do see your point and there are products out there that provide secure > gateways like you describe. They include all kinds of other features like > privilege escalation, timed access, session logging, etc. > > I’m more interested in a web service that can sign a user’s personal key (only > the public key needs to be given then), provide short-lived ssh credentials to > enable access to ’special’ hosts (possibly with a different ca key), and be used > in the host staging process to sign host keys. > > The user may never even need to directly handle the short-lived credentials. > The service would just download them into a well-known area and provide the > user with a link to execute a local (to the user) ssh client with the key > information included in the command line. > > This would be a way to keep the signing keys secured while allowing a high > degree of self-service. Kind of like how X.509 certificate authorities work. It may not be an exact match for what you’re looking for, but you may want to check out “keymaster” at: https://github.com/Symantec/keymaster <https://github.com/Symantec/keymaster> It is a service designed to provide short-term SSH and TLS certificates based on some other common authentication back-end (providing “single sign on” capability with optional two-factor auth). More info is available in the design doc at: https://docs.google.com/document/u/1/d/1AW3UROCJqTc3R4MLJXxmPUNS0OFNcsiQJ_Q4j--5tQE/pub <https://docs.google.com/document/u/1/d/1AW3UROCJqTc3R4MLJXxmPUNS0OFNcsiQJ_Q4j--5tQE/pub> There was also a presentation at a recent Silicon Valley IAM User Group meeting available at: https://www.meetup.com/Silicon-Valley-IAM-User-Group/events/243510383/?_cookie-check=8VAZ0NJ50Dt55Vbt <https://www.meetup.com/Silicon-Valley-IAM-User-Group/events/243510383/?_cookie-check=8VAZ0NJ50Dt55Vbt> -- Ron Frederick ronf@xxxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev