search

wallix / awless

A Mighty CLI for AWS
http://awless.io/
Apache License 2.0
4.97k stars 263 forks source link

SSH Certificate #69

Open sad75 opened 7 years ago

sad75 commented 7 years ago

It will be very convenient to have a way to instantiate a new VM with a SSH certificate instead of a key.

simcap commented 7 years ago

Definitely a good idea that awless could help with and enforce.

Since the authentication goes both ways, I am guessing we would start by authenticate the clients (users) to cloud VMs (servers).

I imagine in this case, roughly the steps could be:

  1. An authority (company's server or else) generates an CA
  2. On each new created VM via awless:
    • check the VM has a running SSH daemon.
    • with the given public CA, upload it to the VM ssh server config under TrustedUserCAKeys
    • restart the SSH daemon
  3. Independently have the authority (company's server or else) generate a client CA by signing the each client public key
  4. Make sure each client wanting to connect to VM via awless have the client certificate in their local SSH config.

In term of features, this is a combination of awless doing small control and provisioning. A good start could be to use the provided AWS UserData field which is a field for scripts you want to run on the creation of an instance.