Open sgrunt91 opened 5 years ago
rkrx
commented
5 years ago As many ops, I was looking to the best way to manage SSH access to many servers.
Virtually everybody is using an ssh-agent for that (pageant for Windows-Users; Is also available as a Keepass-Plugin). It's a solved problem.
sgrunt91
commented
5 years ago As many ops, I was looking to the best way to manage SSH access to many servers.
Virtually everybody is using an ssh-agent for that (pageant for Windows-Users; Is also available as a Keepass-Plugin). It's a solved problem.
SSH Keys ≠ SSH Certificates. SSH Certificates are signed SSH keys by a CA. I don't talk about how manage SSH keys on user computer, but how allow or revoke access to servers, and another important thing is keys rotation. I think I'm not very clear in my description... I'll try to improve it. Thanks for you answer anyway :)
keerthivasan-r
commented
5 years ago @sgrunt91 I get your idea. It's nice. Don't we not have one now really? i can't believe this
darshkpatel
commented
5 years ago If it's not been done already, we can make a centralized key management interface for servers.
We can also provide an API for automation.
Count me in !
On Thu, Mar 28, 2019, 6:53 PM Keerthivasan R notifications@github.com wrote:
I get your idea. It's nice. Don't we not have one now really? i can't believe this
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/open-source-ideas/open-source-ideas/issues/130#issuecomment-477543310, or mute the thread https://github.com/notifications/unsubscribe-auth/AKvJrvEcMNBrvUyxZSePpaEA0Cf0p3LDks5vbJ2FgaJpZM4ZzYgH .
blaggacao
commented
4 years ago darshkpatel
commented
4 years ago Yup, thought so
On Mon, 18 Nov, 2019, 11:53 am David Arnold, notifications@github.com wrote:
https://keybase.io/blog/keybase-ssh-ca
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/open-source-ideas/open-source-ideas/issues/130?email_source=notifications&email_token=ACV4TLUQZYY36TZSUD6BJS3QUIYGZA5CNFSM4GONRAD2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEJKQLA#issuecomment-554870828, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACV4TLXS3NXASBV2WBRX4MDQUIYGZANCNFSM4GONRADQ .
Project description
As many ops, I was looking to the best way to manage SSH access to many servers. I found many ways to do it. One of them was using SSH Certificates, I thought this solution is very good but unforunately it's a little "underrated" and today there is no well-known and well-tested open source solution for that.
There is some companies projects that use it, but it's often designed for these companies and it needs to be adapted to our needs which takes time. I'm thinking about CASSH from leboncoin: https://medium.com/leboncoin-engineering-blog/cassh-ssh-key-signing-tool-39fd3b8e4de7 And Cashier: https://github.com/nsheridan/cashier
But what is missing IMO is a great WebUI with admin and users management. Maybe a more solid API. Maybe a agent to uptade CA and KRL on managed servers. It also need configuration of all a certificate can bring (restricted commands, etc.) It could cool to combine it with host certificates It needs to be easy to everyone to get popular.
I truly believe in SSH Certificates, it just need a good and robust management platform.
A quickest solution could be to build a WebUI for a cashier backend.
Relevant Technology
I don't know yet, maybe javascript/node.js or Python. It's basicaly a Web application with a web API which execute
ssh-keygencommands. Maybe http://www.passportjs.org/ could be useful. OTP integration could be great too.Complexity
Required time (ETA)