add keys and certificate to forwarded agent on remote host

Rory Campbell-Lange rory at campbell-lange.net
Wed Sep 19 04:44:01 AEST 2018


On 18/09/18, Tim Jones (b631093f-779b-4d67-9ffe-5f6d5b1d3f8a at protonmail.ch) wrote:

> > Unless I've misunderstood, verification of the user and the permissions
> > they have for potentially many roles on many servers are quite different
> > things.
> 
> Possibly the other question you need to be asking yourself is whether
> you're abusing SSH, trying to make it do another tool's job ?
> 
> e.g sudo/doas for "root on a server", or kerberos+LDAP or similar.
> 
> Apologies if I'm teaching granny to suck eggs here, or my
> understanding of SSH is all wrong.  But surely SSH certificates were
> only ever intended to be for authentication, not for authorization ?
> 
> Look at Amazon AWS for example.  You can *authenticate* to their
> services using SSH, but the whole *authorization* logic is controlled
> through AWS IAM.
> 
> Surely, if anything the AWS-style system is the one you should be
> looking to replicate ? As that is obviously a methodology that has
> been proven to scale ?

Sure, the logic behind certificate issuance is based around
authorization.

In a small, open-source environment (i.e. no dependencies on AWS or
similar external providers) what authorization system would you
recommend that deals with users, roles and machines? Ideally it would
plug into openssh.


More information about the openssh-unix-dev mailing list