add keys and certificate to forwarded agent on remote host

Tim Jones b631093f-779b-4d67-9ffe-5f6d5b1d3f8a at protonmail.ch
Wed Sep 19 04:22:12 AEST 2018


> What is nice about runtime certificate issuance is that certificates can
> be tuned for particular per-user, per-instance use cases, such as "root
> on all DC1 webservers".
>
> Unless I've misunderstood, verification of the user and the permissions
> they have for potentially many roles on many servers are quite different
> things.


Possibly the other question you need to be asking yourself is whether you're abusing SSH, trying to make it do another tool's job ?

e.g sudo/doas for "root on a server", or kerberos+LDAP or similar.

Apologies if I'm teaching granny to suck eggs here, or my understanding of SSH is all wrong.  But surely SSH certificates were only ever intended to be for authentication, not for authorization ?

Look at Amazon AWS for example.  You can *authenticate* to their services using SSH, but the whole *authorization* logic is controlled through AWS IAM.

Surely, if anything the AWS-style system is the one you should be looking to replicate ? As that is obviously a methodology that has been proven to scale ?


More information about the openssh-unix-dev mailing list