Self-Service SSH Certificates presented at OWASPNewZealandDay 2020

by Jeremy Stott,

Summary : SSH is the trustworthy hammer relied on for decades to remotely connect to computers. Even pushing/pulling code to Github uses SSH. But how do you manage access for everyone on all your servers? (well,… not just anyone)This talk will show how SSH certificates solve pain points in growing teams!SSH certificates are an under-utilised feature of OpenSSH, but they offer a fantastic method to solve some pain points of growing teams and growing infrastructure.Hosts only trust a single public key of a trusted certificate authority instead of keys from every developer (and let’s be honest, several who are no longer working at your company :uhoh:). SSH certificates expire (this is good), and can also tell SSH what you can or can’t do with your session. The can even help mint a new user on a brand new trusting host, or enable sudo.Similarly clients can trust a single public key of a trusted certificate authority for host keys, and not need to constantly remove entries in your ~/.authorized_hosts file when a host changes their key (and verify the new fingerprint… right… right..?).Nobody wants more (any?) PKI to manage, so a scalable self-service method is presented using existing and new open source software to let people in large teams onboard themselves safely.