
Show HN: SSH Permit A38 – Central Managment and Deployment for SSH Keys - burrnii
https://github.com/ierror/ssh-permit-a38
======
ThePhysicist
Very interesting project, I've been confronted with this kind of problem
(managing SSH access for a large number of users) several times and don't
think there's a perfect solution for it yet.

An alternative (but also imperfect) solution that I've relied on in the past
is using certificate-based authentication:

[https://www.digitalocean.com/community/tutorials/how-to-
crea...](https://www.digitalocean.com/community/tutorials/how-to-create-an-
ssh-ca-to-validate-hosts-and-clients-with-ubuntu)

This still requires the generation of certificates for users but it doesn't
require updating the key material on the servers themselves. Having short-
lived user certificates then gives the admin an easy way to revoke access to a
server without changing any keys there by simply not issuing a new certificate
to the user (and in urgent cases to also revoke the certificate as well before
it expires, which requires intervention on the server though).

I really hope that OpenSSH keeps improving their (still largely incomplete)
PKI implementation, as I think it's a great feature for larger organizations.

~~~
snuxoll
FreeIPA - I wish more people knew about this. You can tie a public SSH key to
a user (users can also self-register them) and it is automatically recognized
on all hosts joined to the IPA domain, if you want to limit who has access to
what the integrated RBAC facilities are there to handle that as well.

~~~
chrisweekly
Cool! Thanks for the tip! :)

------
sz4kerto
Genuine question: what functionality does this provide that e.g. Ansible
doesn't?

With Ansible, one can put the SSH keys into a .yml file in a format that is
very similar to the examples in the OP, then the authorized_key module can be
used to ensure that the key is present (or absent) on the remote servers. It's
really-really trivial. Maybe the difference is that you can paste the SSH key
into the CLI instead of a file... hm.

~~~
tr0ut
Can you post an example of this? Link works too.

~~~
trashcan
Relevant documentation:
[http://docs.ansible.com/ansible/latest/authorized_key_module...](http://docs.ansible.com/ansible/latest/authorized_key_module.html)

------
tptacek
What's the advantage to this over setting up an SSH CA?

[https://code.facebook.com/posts/365787980419535/scalable-
and...](https://code.facebook.com/posts/365787980419535/scalable-and-secure-
access-with-ssh/)

If you're in AWS, you can also look at Bless, which is Lambda-hosted and mints
short-lived certificates with a command-line client:

[https://github.com/Netflix/bless](https://github.com/Netflix/bless)

~~~
toomuchtodo
If you’re in AWS, wouldn’t SSM agents on instances be preferable to SSH
access? That provides for both access control (IAM for user access, SSM
documents for constraining command execution authority) and auditing/logging
of executed commands (CloudTrail).

This does not work for interactive terminal use cases, but does work (in my
experience) if you’re targeting immutable instances. It also has the lovely
side effect that you can create scheduled tasks within the AWS control plane
(if that’s your cup of tea).

Example SSM client: [https://github.com/itsdalmo/ssm-
sh](https://github.com/itsdalmo/ssm-sh)

Disclaimer: I’m implementing this in a large enterprise environment.

------
xg15
Slightly off-topic: I've seen a few references to the Asterix A38 scene in
open source projects recently and it always seems to be a sure sign the
developers are german. Is this actually a german-only thing?

~~~
bhaak
It resonates highly with the kind of bureaucracy that Germans have to put up
with.

Therefore it wouldn't surprise me if this scene is most popular with Germans
and others nationalities only regard it as a funny, exaggerated sequence.
Whereas for Germans it hits close to home.

------
TomK32
All very nice but according to Circular B 65 you will also need Permit A39.

------
edem
Fun fact: there is a ship by this name:
[https://www.a38.hu/en/](https://www.a38.hu/en/)

~~~
AdrianoKF
Not sure if the ship was named after it as well, but Permit A38 references a
scene from an Asterix and Obelix animated film
([https://en.wiktionary.org/wiki/Passierschein_A38;](https://en.wiktionary.org/wiki/Passierschein_A38;)
[https://www.youtube.com/watch?v=GI5kwSap9Ug](https://www.youtube.com/watch?v=GI5kwSap9Ug)).
The comic series by René Goscinni and animated films were very popular in
Europe, probably not so much in the US.

Permit A38 refers to a scene where the protagonists are referred multiple
times within a overly beaurocratic Roman administrative office, so it has
become sort of synonymous with a Sysiphean task in German language (at least
in limited circles).

