SSH

Idea:

• Self-service tool for generating SSH certificates

Workflows

Initialisation

• Creates CA certificate

Client Certificates

• Sign-in with identity provider (Keyclock, for example)
• Upload of SSH public key
  • Requires verification: signed message for tool
  • Requires two-factor authentication: email with confirmation
• Request to generate certificate
• Certificate is valid for specified period (one month by default)

Certificate is create with:

• principal: username (from identity provider)

• comment: email address (from identity provider)

• additional principals: member-te-developers, member-te-sysadmins (one principal per group membership)

• more principals: email-domain-example.com

• other metadata?

• options restrictions?

• All signing requests are logged, including inputs/outputs.

• Signing can be done on external machine

Machine Certificate

• Upload of machine hostname pubkey
• Requires approval from other group members?
• Generates key (limited validity?)
• UI shows all machines and when they might expire, Extensions need to be performed manually (maybe with daemon on machine or by SSHing into it and updating host cert?)

Reading

• SSH CA
• sshca
• Keyper
• ssh-ca
• ssh-cert-authority