Presented by

  • Jeremy Stott

    Jeremy Stott
    @jsstott

    Jeremy is an engineer who loves to build everything from washing machines to wearables, embedded systems to servers. Recently he's been creating security tools and infrastructure as a security operations engineer at Vend. While building things is fun, breaking things is better.

Abstract

SSH certificates are an under-utilised feature of OpenSSH, but they offer a fantastic method to solve some pain points of growing teams and growing infrastructure. You don't need to manage complicated directories to live on this greener side of the fence. Hosts only trust a single public key of a trusted certificate authority instead of keys from every developer (and let's be honest, several who are no longer working at your company :uhoh:). SSH certificates expire (this is good), and can also tell SSH what you can or can't do with your session. The can even help mint a new user on a brand new trusting host. And if you need to use sudo, don't worry your certificate's got your back too. How do you get short lived SSH certificates from a self service certificate authority? Grab your identity on the cli using some nifty OAuth2 in your browser, swap this identity to get temporary AWS credentials, invoke a lambda function, sign a public key, and you're on your merry way. Open source tools are all over this problem. Let's combine some that have been around forever, and some brand new ones into an awesome solution. Linux Australia: http://mirror.linux.org.au/pub/linux.conf.au/2020/room_5/Friday/Zero_Trust_SSH.webm YouTube: https://www.youtube.com/watch?v=lYzklWPTbsQ