OpenSSH key signing service?

John Devitofranceschi jdvf at optonline.net
Tue Dec 26 01:38:35 AEDT 2017



> On Dec 25, 2017, at 2:36 AM, Peter Moody <mindrot at hda3.com> wrote:
> 
> On Sun, Dec 24, 2017 at 9:54 PM, David Newall <openssh at davidnewall.com> wrote:
>> On 25/12/17 00:11, John Devitofranceschi wrote:
>>> 
>>> Besides ssh.com’s PrivX product, has anyone created a web service that can
>>> be used to issue temporary certkeys to authenticated users?
>>> 
>>> Any pointers appreciated!
>> 
>> 
> 
> I would agree that using a random service for signing certs is a bad
> idea. thankfully there are a few full featured opensource ssh CA's
> already available. I have it on good authority that another is going
> to be released in the near future as well.

Details on these, please? Since that was kind of what I was asking for in the OP :) 

I have found a couple on github:
https://github.com/cloudtools/ssh-cert-authority <https://github.com/cloudtools/ssh-cert-authority>
https://github.com/cloudtools/ssh-ca <https://github.com/cloudtools/ssh-ca>

(Blargh is right (https://blog.habets.se/2011/07/OpenSSH-certificates.html <https://blog.habets.se/2011/07/OpenSSH-certificates.html>). Googling for this stuff is *hard*:)

And I *am* researching this for an enterprise that has strict access control requirements.

Not only are we expected to provide evidence of when users accessed systems and for
how long, we are also expected to show when access was requested and who approved it.

Simply trusting (mostly non-technical) users to do the right thing is never a good 
idea when auditors and compliance folks are involved.  

As far as an OpenSSH CA is concerned, I’m thinking of a model akin to the big X.509 CAs 
for enterprise users to obtain ssh authentication keys. If the keys are  never touched by human 
hands, so much the better.

jd




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20171225/9e94700f/attachment-0001.p7s>


More information about the openssh-unix-dev mailing list