OpenSSH key signing service?

Adam Eijdenberg adam at continusec.com
Tue Dec 26 09:14:59 AEDT 2017


On Tue, Dec 26, 2017 at 3:09 AM, John Devitofranceschi
<jdvf at optonline.net> wrote:
> "We just need the workflows to do the signing :-)”
>
> I’m interested in that bit, though!

Hi John, we rolled out SSH certs for an organization using G-Suite for
SSO - whereby the users would run a CLI tool that would launch an
OAuth login (the first time), generate a new key, then send the public
key and ID Token to a CA which would stamp out a cert, and also return
other SSH conf for them. We open sourced both the server and client
components here: https://github.com/continusec/geecert

It would likely be easy to add additional sources for authentication.
What that code doesn't do yet, is handle workflow well for host
certificates - though I did add an experimental HTTP server component
which would connect to a whitelist of hosts, and return a cert for the
public key it sees, appropriate for invocation from a cronjob on a
host to fetch its own cert. We'll likely start rolling this out for
another customer in the New Year and will update the docs then.

Hope that's helpful.

Cheers, Adam



More information about the openssh-unix-dev mailing list