Mastodawn

OpenSSH 5.4 was released on 2010-03-08, and that is when the project added support for certificate authentication of users and hosts using an OpenSSH certificate format (not X.509)

Why am I telling you this? Because I wanted to find out since when exactly I have been putting off actually experimenting with SSH certificates, and I can now with certainty say that as far as this topic is concerned I've been an idiot over the last 16 years!

Show thread

Patrick Mevzek

@jpmens I find this a good enlightening past experiment with all sorts of nice properties: https://speakerdeck.com/rlewis/how-netflix-gives-all-its-engineers-ssh-access-to-instances-running-in-production (ephemeral certificates with a static CA) and hence https://github.com/Netflix/bless

How Netflix Gives All Its Engineers SSH Access To Instances Running In Production

One of the ways Netflix enables engineering velocity is with the Freedom and Responsibility culture that empowers individuals with the freedom to do wha…

Speaker Deck

Show thread

JP Mens 1d ago

@pmevzek thank you, I enjoy reading how/what others have done!

Show thread

JP Mens 1d ago

@pmevzek good ideas in that slide deck, and thank you -- interesting.

Pity that the BLESS software (meanwhile put to pasture by Netflix) requires AWS. I've also been looking at step (https://smallstep.com/blog/use-ssh-certificates/) which seems well documented etc, but they seem to need an IDP which is probably fine for very large orgs but surely overkill for smallish projects.

If you’re not using SSH certificates you’re doing SSH wrong

SSH has some pretty gnarly issues when it comes to usability, operability, and security. The good news is this is all easy to fix. SSH is ubiquitous. It’s the de-facto solution for remote administration of *nix systems. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.