"Zero Trust SSH" - Jeremy Stott (LCA 2020)
Jeremy Stott
https://lca2020.linux.org.au/schedule/presentation/54/
SSH certificates are an under-utilised feature of OpenSSH, but they offer a fantastic method to solve some pain points of growing teams and growing infrastructure. You don't need to manage complicated directories to live on this greener side of the fence.
Hosts only trust a single public key of a trusted certificate authority instead of keys from every developer (and let's be honest, several who are no longer working at your company :uhoh:). SSH certificates expire (this is good), and can also tell SSH what you can or can't do with your session. The can even help mint a new user on a brand new trusting host. And if you need to use sudo, don't worry your certificate's got your back too.
How do you get short lived SSH certificates from a self service certificate authority? Grab your identity on the cli using some nifty OAuth2 in your browser, swap this identity to get temporary AWS credentials, invoke a lambda function, sign a public key, and you're on your merry way.
Open source tools are all over this problem. Let's combine some that have been around forever, and some brand new ones into an awesome solution.
linux.conf.au is a conference about the Linux operating system, and all aspects of the thriving ecosystem of Free and Open Source Software that has grown up around it. Run since 1999, in a different Australian or New Zealand city each year, by a team of local volunteers, LCA invites more than 500 people to learn from the people who shape the future of Open Source. For more information on the conference see https://linux.conf.au/
Produced by NDV: https://youtube.com/channel/UCQ7dFBzZGlBvtU2hCecsBBg?sub_confirmation=1
#linux.conf.au #linux #foss #opensource
Fri Jan 17 10:45:00 2020 at Room 5
Видео "Zero Trust SSH" - Jeremy Stott (LCA 2020) канала linux.conf.au
https://lca2020.linux.org.au/schedule/presentation/54/
SSH certificates are an under-utilised feature of OpenSSH, but they offer a fantastic method to solve some pain points of growing teams and growing infrastructure. You don't need to manage complicated directories to live on this greener side of the fence.
Hosts only trust a single public key of a trusted certificate authority instead of keys from every developer (and let's be honest, several who are no longer working at your company :uhoh:). SSH certificates expire (this is good), and can also tell SSH what you can or can't do with your session. The can even help mint a new user on a brand new trusting host. And if you need to use sudo, don't worry your certificate's got your back too.
How do you get short lived SSH certificates from a self service certificate authority? Grab your identity on the cli using some nifty OAuth2 in your browser, swap this identity to get temporary AWS credentials, invoke a lambda function, sign a public key, and you're on your merry way.
Open source tools are all over this problem. Let's combine some that have been around forever, and some brand new ones into an awesome solution.
linux.conf.au is a conference about the Linux operating system, and all aspects of the thriving ecosystem of Free and Open Source Software that has grown up around it. Run since 1999, in a different Australian or New Zealand city each year, by a team of local volunteers, LCA invites more than 500 people to learn from the people who shape the future of Open Source. For more information on the conference see https://linux.conf.au/
Produced by NDV: https://youtube.com/channel/UCQ7dFBzZGlBvtU2hCecsBBg?sub_confirmation=1
#linux.conf.au #linux #foss #opensource
Fri Jan 17 10:45:00 2020 at Room 5
Видео "Zero Trust SSH" - Jeremy Stott (LCA 2020) канала linux.conf.au
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
"NTFS really isn't that bad" - Robert Collins (LCA 2020)"Write a single library to handle all input devices, it'll be easy" they said...The Fallacy of the "Zero-Trust Network""A journey to performance: using Rust in Mercurial" - Raphaël Gomès (LCA 2021 Online)HTTPS in ASP.NET Core 2 in Docker Linux Containers Deep Dive - Rob RichardsonSSH Certificates: a way to scale SSH accessFirmware security, why it matters and how you can have itLISA17 - Managing SSH Access without Managing SSH Keys"picolibc: a C library for small 32-bit systems" - Keith Packard (LCA 2020)"What UNIX Cost Us" - Benno Rice (LCA 2020)"A Political History of X" - Keith Packard (LCA 2020)Erik Rygg - Manage SSH With HashiCorp Vault"The New COBOL" - Benno Rice (PyCon AU 2019)CTO Mike Sentonas: Zero Trust KeynoteHow does HTTPS work? What's a CA? What's a self-signed Certificate?Making C Less Dangerous in the Linux kernelThe Trouble with FreeBSDHow to approach a Zero Trust security modelHow to start your journey to zero trust | Azure Active Directory