Zero Trust SSH
Speaker | Jeremy Stott |
---|---|
Time | 2020-01-17 10:45 |
Conference | LCA2020 |
Talk details | Link |
SSH certificates.
Host certificates.
Certificates can expire. No need to worry about dangling certificates when employees leave.
Onboarding/offboarding. Added new user’s is a pain. puppet. LDAP. ansible.
Embedded systems.
AWS accounts.
Hosts in different clouds.
pam-ussh by Uber.
Automate certificate signing/revocation.
- Bless. Certificate expiry in 2 minutes.
- python-bless-client.
- step.
- vault.
sshrimp. Shrimp have shells, lightweight. SSH Really Not My Problem.
sshrimp-agent -> OIDC -> JWT
The user must exist on the host. ssh as root or shared user. NSSCache lightweight ldapless directory. Puppet.
Create user’s on the fly. Use two accounts, one to create account, one to use account.
Slides written inside a ssh certificate.