OpenSSH key signing service?
ronf at timeheart.net
Wed Dec 27 22:19:24 AEDT 2017
On Dec 26, 2017, at 7:11 PM, John Devitofranceschi <jdvf at optonline.net> wrote:
>> On Dec 26, 2017, at 2:09 PM, Stef Bon <stefbon at gmail.com> wrote:
>> 2017-12-25 23:37 GMT+01:00 Peter Moody <mindrot at hda3.com>:
>> I perfectly understand that central management of keys is when
>> handling much hosts and many users is a good solution,
>> but I think it's a bit odd.
>> Please correct me if I'm wrong, the host receives from the authority
>> keys, and uses those to do the signature checking, or the creation of
>> a signature.
>> Keys are send from the authority to the host.
>> But why don't let the authority handle everything with the server to
>> connect to, keymaterial stays on the cert authority.
> I do see your point and there are products out there that provide secure
> gateways like you describe. They include all kinds of other features like
> privilege escalation, timed access, session logging, etc.
> I’m more interested in a web service that can sign a user’s personal key (only
> the public key needs to be given then), provide short-lived ssh credentials to
> enable access to ’special’ hosts (possibly with a different ca key), and be used
> in the host staging process to sign host keys.
> The user may never even need to directly handle the short-lived credentials.
> The service would just download them into a well-known area and provide the
> user with a link to execute a local (to the user) ssh client with the key
> information included in the command line.
> This would be a way to keep the signing keys secured while allowing a high
> degree of self-service. Kind of like how X.509 certificate authorities work.
It may not be an exact match for what you’re looking for, but you may want to check out “keymaster” at:
It is a service designed to provide short-term SSH and TLS certificates based on some other common authentication back-end (providing “single sign on” capability with optional two-factor auth).
More info is available in the design doc at:
There was also a presentation at a recent Silicon Valley IAM User Group meeting available at:
ronf at timeheart.net
More information about the openssh-unix-dev