Ask HN: Do you use SSH keys at work?

2 points by sshmania ↗ HN
Hi HN! Do you login to SSH servers regularly at work? If so, what are you using to manage authentication?

- Teleport - ScaleFT - Raw SSH Keys + authorized_keys file - Something else?

Thanks!

3 comments

[ 2.5 ms ] story [ 16.0 ms ] thread
I chose to build an OpenLDAP cluster with public keys assigned to user accounts as attributes. It's moderately complicated (since you have to extend the standard schema, set up accurate access controls and alter SSHD on the clients to retrieve the public keys from LDAP instead of locally), however it means the entire stack is under my control and not dependent on an internet connection or a third-party provider. It means I can use the same LDAP auth system I already have set up to manage central auth.

Definitely archaic in the era of Teleport (I looked at it, but decided against giving a third party control over my auth system), but it's pretty reliable and works well.

Interesting thanks! How do you get your engineer's public keys uploaded to the ldap server? Do they generate keys themselves and upload to some portal?

Also what makes you distrust teleport -- is it just third party code? I think you can (or have to) self host it but maybe that's not true for enterprise.

There's a neat Python application, ssh_ldap_pubkey, that not only retrieves the user's pubkeys (e.g. can be called by SSH) but also allows users to manipulate them (add/delete). So end users generate the keys and push them to the LDAP cluster themselves. The backend servers then validate SSH keys against the LDAP servers instead of locally, so it's a perfectly logical extension of existing LDAP functionality.

It's not specifically Teleport I distrust, it's most cloud-based software due to its often-woeful attention to security. Also, if we suffer a major internet outage and my systems lose connection, it shouldn't stop me SSH'ing into them. So long as my LDAP machines, on the same LAN, are up, I can get in.

I also dislike paying for something we could build ourselves for little-to-moderate effort :)