![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
robopet3Niall Sheridan, Intercom
Everyone uses SSH to manage their production infrastructure, but it's really difficult to do a good job of managing SSH keys. Many organisations don't know how many SSH keys have access to production systems or how protected those keys are. A trusted SSH private key can be years old, unprotected by passphrase, and shared among multiple people who may not even work for you.
With some tooling and configuration SSH keys can be replaced with limited-use ephemeral certificates, issued centrally and with better access controls and automatic key expiration, solving many of the shortcomings of using SSH keys.
This talk will cover:
Managing SSH keys: The bad parts
Replacing SSH keys with ephemeral certificates: how & why
Discussion of an implementation of a CA for SSH certificates
Call for participation, showing github source
https://www.youtube.com/watch?v=NCEQj27A3XA
View the full LISA17 program: https://www.usenix.org/lisa17/program
Everyone uses SSH to manage their production infrastructure, but it's really difficult to do a good job of managing SSH keys. Many organisations don't know how many SSH keys have access to production systems or how protected those keys are. A trusted SSH private key can be years old, unprotected by passphrase, and shared among multiple people who may not even work for you.
With some tooling and configuration SSH keys can be replaced with limited-use ephemeral certificates, issued centrally and with better access controls and automatic key expiration, solving many of the shortcomings of using SSH keys.
This talk will cover:
Managing SSH keys: The bad parts
Replacing SSH keys with ephemeral certificates: how & why
Discussion of an implementation of a CA for SSH certificates
Call for participation, showing github source
https://www.youtube.com/watch?v=NCEQj27A3XA
View the full LISA17 program: https://www.usenix.org/lisa17/program
