はてなブックマーク

If you’re not using SSH certificates you’re doing SSH wrongUpdated on: May 20, 2024 SSH is ubiquitous. It's the de-facto solution for remote administration of *nix systems. But SSH has some pretty gnarly issues when it comes to usability, operability, and security. You're probably familiar with these issues: SSH user experience is terrible. SSH user on-boarding is slow and manual. Connecting to ne

Build a Tiny Certificate Authority For Your HomelabUpdated on: May 20, 2024 Updated on February 16, 2023 TL;DR In this tutorial, we're going to build a tiny, standalone, online Certificate Authority (CA) that will mint TLS certificates and is secured with a YubiKey. It will be an internal ACME server on our local network (ACME is the same protocol used by Let's Encrypt). The YubiKey will securely

How Smallstep SSH Works Smallstep delivers end-to-end SSH workflow that marries modern identity providers with short-lived SSH certificates and flexible access control. At the core is step-ca, our open-source certificate authority, and our step CLI toolkit that makes SSO for SSH a simple and elegant experience for users. Available on-premise or as a managed offering. Users sign in to your identity

Experience SSH certificates for yourself in <5min⚡! In this post we'll design a break glass procedure for reaching SSH hosts in an emergency, using security keys that you can store offline. This is just one approach, but you can adapt it to your circumstances. We will store an offline SSH Certificate Authority on a hardware security key, and have our hosts trust that CA. This will work on pretty m

Purveyor of Single Sign-on SSH | The better way to manage SSH credentials "And the words slide into the slots ordained by syntax, and glitter as with atmospheric dust with those impurities which we call meaning." — Anthony Burgess, Enderby, 406 Naming a CLI command requires deep and careful deliberation. Yet most commands seem to have been named with playful insouciance at best, and foolish indiff

Experience SSH certificates for yourself in <5min⚡! Introduction The SSH agent is a central part of OpenSSH. In this post, I'll explain what the agent is, how to use it, and how it works to keep your keys safe. I'll also describe agent forwarding and how it works. I'll help you reduce your risk when using agent forwarding, and I'll share an alternative to agent forwarding that you can use when acc

Experience SSH certificates for yourself in <5min⚡! Here are some of our best tips & tricks for using SSH more effectively. This post will cover how to: Add a second factor to your SSH login Use agent forwarding safely Exit from stuck SSH sessions Keep a persistent terminal open Share a remote terminal session with a friend (without Zoom!) Add a second factor to your SSH Here's five different ways

Experience SSH certificates for yourself in <5min⚡! TL;DR In this post we're going to set up Google single sign-on for SSH. Behind the scenes, we'll use OpenID Connect (OIDC), short-lived SSH certificates, a couple of clever SSH configuration tweaks, and Smallstep's open-source step-ca and step packages. We will set up an SSH Certificate Authority, and use it to bootstrap a new host and a new user

Everything you should know about certificates and PKI but are too afraid to askUpdated on: May 20, 2024 Certificates and public key infrastructure (PKI) are hard. No shit, right? I know a lot of smart people who've avoided this particular rabbit hole. Personally, I avoided it for a long time and felt some shame for not knowing more. The obvious result was a vicious cycle: I was too embarrassed to