
Ask HN: Do you use SSH keys at work? - sshmania
Hi HN! Do you login to SSH servers regularly at work? If so, what are you using to manage authentication?<p>- Teleport
- ScaleFT
- Raw SSH Keys + authorized_keys file
- Something else?<p>Thanks!
======
gargravarr
I chose to build an OpenLDAP cluster with public keys assigned to user
accounts as attributes. It's moderately complicated (since you have to extend
the standard schema, set up accurate access controls and alter SSHD on the
clients to retrieve the public keys from LDAP instead of locally), however it
means the entire stack is under my control and not dependent on an internet
connection or a third-party provider. It means I can use the same LDAP auth
system I already have set up to manage central auth.

Definitely archaic in the era of Teleport (I looked at it, but decided against
giving a third party control over my auth system), but it's pretty reliable
and works well.

~~~
sshmania
Interesting thanks! How do you get your engineer's public keys uploaded to the
ldap server? Do they generate keys themselves and upload to some portal?

Also what makes you distrust teleport -- is it just third party code? I think
you can (or have to) self host it but maybe that's not true for enterprise.

~~~
gargravarr
There's a neat Python application, ssh_ldap_pubkey, that not only retrieves
the user's pubkeys (e.g. can be called by SSH) but also allows users to
manipulate them (add/delete). So end users generate the keys and push them to
the LDAP cluster themselves. The backend servers then validate SSH keys
against the LDAP servers instead of locally, so it's a perfectly logical
extension of existing LDAP functionality.

It's not specifically Teleport I distrust, it's most cloud-based software due
to its often-woeful attention to security. Also, if we suffer a major internet
outage and my systems lose connection, it shouldn't stop me SSH'ing into them.
So long as my LDAP machines, on the same LAN, are up, I can get in.

I also dislike paying for something we could build ourselves for little-to-
moderate effort :)

