
Ephemeral certificates could replace password vaults - simpple
https://www.ssh.com/iam/ephemeral_access/
======
opless
This sounds completely insane.

So we delegate security to an alleged "trusted" third party that both the
sysadmin and user have to trust.

Sounds like a massive increase in attack surface with questionable advantages.

~~~
jimktrains2
Isn't that basically how Kerberos works? Did with ephemeral certs?

~~~
stcredzero
Kerberos started out with symmetric keys. It's been a long time since I
followed things, so that might have changed. Public keys would greatly
simplify key distribution, of course.

------
cmiles74
We do something similar with HashiCorp Vault. People authenticate to Vault
(backed by Active Directory) and if they have the proper permissions (based on
AD group) they can ask Vault to issue an SSH certificate for a particular
account on a specific server. This is working well; we no longer have accounts
for everyone who needs access on every box and giving or removing access is as
easy as changing group membership in AD.

[https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-
cert...](https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-
certificates.html)

