On 18/09/18, Tim Jones (b631093f-779b-4d67-9ffe-5f6d5b1d3f8a@xxxxxxxxxxxxx) wrote: > > Unless I've misunderstood, verification of the user and the permissions > > they have for potentially many roles on many servers are quite different > > things. > > Possibly the other question you need to be asking yourself is whether > you're abusing SSH, trying to make it do another tool's job ? > > e.g sudo/doas for "root on a server", or kerberos+LDAP or similar. > > Apologies if I'm teaching granny to suck eggs here, or my > understanding of SSH is all wrong. But surely SSH certificates were > only ever intended to be for authentication, not for authorization ? > > Look at Amazon AWS for example. You can *authenticate* to their > services using SSH, but the whole *authorization* logic is controlled > through AWS IAM. > > Surely, if anything the AWS-style system is the one you should be > looking to replicate ? As that is obviously a methodology that has > been proven to scale ? Sure, the logic behind certificate issuance is based around authorization. In a small, open-source environment (i.e. no dependencies on AWS or similar external providers) what authorization system would you recommend that deals with users, roles and machines? Ideally it would plug into openssh. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev