search for: ussh

...for example, over ansible and keeping a record of who performed the actions, something ssh certificates solves well. The problem is then to automate certificate issuance since it would be pretty arduous for someone to keep issuing short-lived user certificates. I was intrigued to read Uber's ussh announcement page and wondered if this suggests a route for doing so: (https://medium.com/uber-security-privacy/introducing-the-uber-ssh-certificate-authority-4f840839c5cc) An employee gets a ussh certificate when they run the ussh command. This connects to the USSHCA, performs the pam con...

https://bugzilla.mindrot.org/show_bug.cgi?id=2598 Bug ID: 2598 Summary: ssh-agent very occasionally won't remove keys or certs despite now() >= lifetime Product: Portable OpenSSH Version: 6.9p1 Hardware: amd64 OS: Mac OS X Status: NEW Severity: minor Priority: P5

...nd of what I was asking for in > the OP :) netflix's bless has been around for a while. https://github.com/Netflix/bless nial sheridan gave a talk recently at LISA about cashier. https://github.com/nsheridan/cashier and finally i'm hoping to have all the necessary approvals to release ussh early next year. I wrote about ussh here https://medium.com/uber-security-privacy/introducing-the-uber-ssh-certificate-authority-4f840839c5cc Cheers, peter

On Mon, Jul 20, 2020 at 08:24:45PM -0700, Peter Moody wrote: > I wrote something a lot like this when I was at uber > > https://github.com/pmoody-/pam-ussh > > (the uber version is here: https://github.com/uber/pam-ussh) Needing PAM auth via ssh-agent is not so uncommon and yet using sshd is not necessarily the first (or best) solution to come to mind. Having it available as part of openssh would be a useful bridgehead for educating users tow...

On Sun, Dec 24, 2017 at 9:54 PM, David Newall <openssh at davidnewall.com> wrote: > On 25/12/17 00:11, John Devitofranceschi wrote: >> >> Besides ssh.com?s PrivX product, has anyone created a web service that can >> be used to issue temporary certkeys to authenticated users? >> >> Any pointers appreciated! > > > I expect that what I'm about to

I know that there are some methods to use federated identities (e.g. OAuth2) with SSH authentication but, from what I've seen, they largely seem clunky and require users to interact with web browsers to get one time tokens. Which is sort of acceptable for occasional logins but doesn't work with automated/scripted actions. I'm just wondering if anyone has done any work on this or

On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote: > Imagine sysadminning a boatload of VMs getting IPs from a dynamic pool, a la > > $ for ADDR in $CUSTOMER_1_RANGE $CUSTOMER_2_RANGE... ; do > > ping -c 1 -w 2 $ADDR >/dev/null 2>&1 && ssh root@$ADDR do_urgent_fix > > done > > , and it mightn't be that much of a niche anymore ... And

Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online.