Re: add keys and certificate to forwarded agent on remote host

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



> What is nice about runtime certificate issuance is that certificates can
> be tuned for particular per-user, per-instance use cases, such as "root
> on all DC1 webservers".
>
> Unless I've misunderstood, verification of the user and the permissions
> they have for potentially many roles on many servers are quite different
> things.


Possibly the other question you need to be asking yourself is whether you're abusing SSH, trying to make it do another tool's job ?

e.g sudo/doas for "root on a server", or kerberos+LDAP or similar.

Apologies if I'm teaching granny to suck eggs here, or my understanding of SSH is all wrong.  But surely SSH certificates were only ever intended to be for authentication, not for authorization ?

Look at Amazon AWS for example.  You can *authenticate* to their services using SSH, but the whole *authorization* logic is controlled through AWS IAM.

Surely, if anything the AWS-style system is the one you should be looking to replicate ? As that is obviously a methodology that has been proven to scale ?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux