> (Blargh is right (https://blog.habets.se/2011/07/OpenSSH-certificates.html <https://blog.habets.se/2011/07/OpenSSH-certificates.html>). Googling for this stuff is *hard*:)Does https://www.sweharris.org/post/2016-10-30-ssh-certs/ help at all? Stephen
https://www.vaultproject.io/docs/secrets/ssh/index.html is another tool that can help with that as well. -Jason Martin On Mon, Dec 25, 2017 at 09:52:24AM -0500, Stephen Harris wrote:> > (Blargh is right (https://blog.habets.se/2011/07/OpenSSH-certificates.html <https://blog.habets.se/2011/07/OpenSSH-certificates.html>). Googling for this stuff is *hard*:) > > Does https://www.sweharris.org/post/2016-10-30-ssh-certs/ help at all?-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 801 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20171225/af3300d1/attachment.asc>
> On Dec 25, 2017, at 9:52 AM, Stephen Harris <lists at spuddy.org> wrote: > >> (Blargh is right (https://blog.habets.se/2011/07/OpenSSH-certificates.html <https://blog.habets.se/2011/07/OpenSSH-certificates.html>). Googling for this stuff is *hard*:) > > Does https://www.sweharris.org/post/2016-10-30-ssh-certs/ help at all? > >Yes, I did see that in my wanderings. It?s a very nice summary of the nuts and bolts of things. "We just need the workflows to do the signing :-)? I?m interested in that bit, though! I managed to get the basic stuff working on a couple of lab systems in a few minutes. I even set AuthorizedKeysFile to /dev/null in sshd_config to strictly enforce using the signed key. Now I need it to scale! jd -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2393 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20171225/40bc7599/attachment.p7s>
On Tue, Dec 26, 2017 at 3:09 AM, John Devitofranceschi <jdvf at optonline.net> wrote:> "We just need the workflows to do the signing :-)? > > I?m interested in that bit, though!Hi John, we rolled out SSH certs for an organization using G-Suite for SSO - whereby the users would run a CLI tool that would launch an OAuth login (the first time), generate a new key, then send the public key and ID Token to a CA which would stamp out a cert, and also return other SSH conf for them. We open sourced both the server and client components here: https://github.com/continusec/geecert It would likely be easy to add additional sources for authentication. What that code doesn't do yet, is handle workflow well for host certificates - though I did add an experimental HTTP server component which would connect to a whitelist of hosts, and return a cert for the public key it sees, appropriate for invocation from a cronjob on a host to fetch its own cert. We'll likely start rolling this out for another customer in the New Year and will update the docs then. Hope that's helpful. Cheers, Adam