Re: add keys and certificate to forwarded agent on remote host

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 18/09/18, Tim Jones (b631093f-779b-4d67-9ffe-5f6d5b1d3f8a@xxxxxxxxxxxxx) wrote:

> > Unless I've misunderstood, verification of the user and the permissions
> > they have for potentially many roles on many servers are quite different
> > things.
> 
> Possibly the other question you need to be asking yourself is whether
> you're abusing SSH, trying to make it do another tool's job ?
> 
> e.g sudo/doas for "root on a server", or kerberos+LDAP or similar.
> 
> Apologies if I'm teaching granny to suck eggs here, or my
> understanding of SSH is all wrong.  But surely SSH certificates were
> only ever intended to be for authentication, not for authorization ?
> 
> Look at Amazon AWS for example.  You can *authenticate* to their
> services using SSH, but the whole *authorization* logic is controlled
> through AWS IAM.
> 
> Surely, if anything the AWS-style system is the one you should be
> looking to replicate ? As that is obviously a methodology that has
> been proven to scale ?

Sure, the logic behind certificate issuance is based around
authorization.

In a small, open-source environment (i.e. no dependencies on AWS or
similar external providers) what authorization system would you
recommend that deals with users, roles and machines? Ideally it would
plug into openssh.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux