Hacker News new | comments | show | ask | jobs | submit login
Show HN: SSH Permit A38 – Central Managment and Deployment for SSH Keys (github.com)
86 points by burrnii 5 months ago | hide | past | web | favorite | 26 comments

Very interesting project, I've been confronted with this kind of problem (managing SSH access for a large number of users) several times and don't think there's a perfect solution for it yet.

An alternative (but also imperfect) solution that I've relied on in the past is using certificate-based authentication:


This still requires the generation of certificates for users but it doesn't require updating the key material on the servers themselves. Having short-lived user certificates then gives the admin an easy way to revoke access to a server without changing any keys there by simply not issuing a new certificate to the user (and in urgent cases to also revoke the certificate as well before it expires, which requires intervention on the server though).

I really hope that OpenSSH keeps improving their (still largely incomplete) PKI implementation, as I think it's a great feature for larger organizations.

FreeIPA - I wish more people knew about this. You can tie a public SSH key to a user (users can also self-register them) and it is automatically recognized on all hosts joined to the IPA domain, if you want to limit who has access to what the integrated RBAC facilities are there to handle that as well.

Cool! Thanks for the tip! :)

Have you looked at ScaleFT? https://www.scaleft.com

They apply BeyondCorp style management for both server and web access.

There is also Teleport by Gravitational: https://gravitational.com/teleport/

I love vault's functionality around this: https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-cert...

Along with something like Packer to bake the cert right into the image.

We (Foxpass, https://www.foxpass.com/) are a YCS15 company offering a SaaS (or on-prem) service to handle SSH key management & rotation, plus user and group management.

With our API, some customers are creating dynamic access rules (for example, an on-caller might have 'sudo' during their on-call week, but not at other times).

Like a hosted FreeIPA, but more powerful.

If you're managing large amount of servers and don't want to update configs on the servers themselves then use e.g. OpenLDAP.

There is a security issue with using AD/OpenLDAP. That being passwords. An example is you can debug/trace the SSH process and see(log) passwords in clear text.

Now of course this is both a trust and a escalated privilege issue. But a lot harder(impossible) with keys.

There's various methods to put SSH keys in LDAP. LDAP is an extensible database, so you can add a schema to attach SSH keys to a user (various schemas exist) - and the AuthorizedKeysCommand in your sshd_config can be hooked up to any program which can retrieve keys for a given user from anywhere (again, various programs exist).

As an example already put together: https://github.com/jirutka/ssh-ldap-pubkey

If you're using straight passwords, sure, an ssh key (ideally in a directory) is going to beat a password-only login, but that ssh key is still subject to credential theft. I'm in the process of migrating an environment off of ssh-key authentication over to password+otp based kerberos (FreeIPA, though AD makes this easy too). A single password+otp login gets an 8 hour (non-renwable, in this environment) ticket. At the end of those 8 hours, users have to obtain another ticket with a password+otp. What's particularly nifty about this scheme is that it's useful for not only ssh access, but internal https services as well.

You can put keys in LDAP.

Genuine question: what functionality does this provide that e.g. Ansible doesn't?

With Ansible, one can put the SSH keys into a .yml file in a format that is very similar to the examples in the OP, then the authorized_key module can be used to ensure that the key is present (or absent) on the remote servers. It's really-really trivial. Maybe the difference is that you can paste the SSH key into the CLI instead of a file... hm.

You're much better off using AuthorizedKeysCommand as vertex-four suggested, and ditch passwords completely. It just needs to return the SSH public key of the login user. You can get that from any backend you like. If you have an LDAP server, great. But it doesn't have to be anything fancy; you could pull the user's key off a web server!

Distributing accounts and SSH keys via any configuration management system is clunky by comparison, and scales badly when you get to many hundreds of users and thousands of servers.

It doesn't. A bit faster maybe.

Ansible is perfect for deploying SSH keys.

Nice. I do the same, with Saltstack. I manage all my users' access, including account creation and removal, password setting, and key management. Easy peasy.

Can you post an example of this? Link works too.

What's the advantage to this over setting up an SSH CA?


If you're in AWS, you can also look at Bless, which is Lambda-hosted and mints short-lived certificates with a command-line client:


If you’re in AWS, wouldn’t SSM agents on instances be preferable to SSH access? That provides for both access control (IAM for user access, SSM documents for constraining command execution authority) and auditing/logging of executed commands (CloudTrail).

This does not work for interactive terminal use cases, but does work (in my experience) if you’re targeting immutable instances. It also has the lovely side effect that you can create scheduled tasks within the AWS control plane (if that’s your cup of tea).

Example SSM client: https://github.com/itsdalmo/ssm-sh

Disclaimer: I’m implementing this in a large enterprise environment.

Slightly off-topic: I've seen a few references to the Asterix A38 scene in open source projects recently and it always seems to be a sure sign the developers are german. Is this actually a german-only thing?

It resonates highly with the kind of bureaucracy that Germans have to put up with.

Therefore it wouldn't surprise me if this scene is most popular with Germans and others nationalities only regard it as a funny, exaggerated sequence. Whereas for Germans it hits close to home.

No idea but I'm dutch and this used to be one of my favorite movies, so it could also have been a dev from the Netherlands. I love indeed how it describes bureaucracy but I used to really love that Chef that keeps bringing food enthusiastically.

Asterix Andy Obelix are big in Germany At least in my childhood:-D But it is French

All very nice but according to Circular B 65 you will also need Permit A39.

Fun fact: there is a ship by this name: https://www.a38.hu/en/

Not sure if the ship was named after it as well, but Permit A38 references a scene from an Asterix and Obelix animated film (https://en.wiktionary.org/wiki/Passierschein_A38; https://www.youtube.com/watch?v=GI5kwSap9Ug). The comic series by René Goscinni and animated films were very popular in Europe, probably not so much in the US.

Permit A38 refers to a scene where the protagonists are referred multiple times within a overly beaurocratic Roman administrative office, so it has become sort of synonymous with a Sysiphean task in German language (at least in limited circles).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact