Absolutely nothing special about them. They trust the same LDAP/Kerberos infra the laptops are part of. We have two-factor authentication, which is pretty simple with PAM. And they're only accessible if you are in our…
We only do that in bastion servers. It would be a bit trickier with laptops, but doable I guess.
Also, we bind certificates to the hosts that requested them. If a certificate and its private key move somewhere else, they will be useless. ssh-keygen -O source-address=1.2.3.4...
In fact, we use a lot the terms authn, authz, authnz and AAA at Facebook. :-)
We have hundreds of thousands of servers and we also run sshd inside containers everywhere, so we probably have over a million endpoints we can SSH into. Cache is only good for things you login frequently, like your…
We can use RevokedKeys for that, but in fact we normally issue short-lived certificates. If we ever have a mass certificate leak, we'll just rotate the entire CA.
Yeah, I didn't have one, I guess. I was hoping to get notifications from this thread, but no. :-(
I'm a drop out from a 3rd world country and I'm an engineer at Facebook. I'm also an interviewer, an trust me guys. We really don't care where and if you graduated. If you are good, you are in.
Absolutely nothing special about them. They trust the same LDAP/Kerberos infra the laptops are part of. We have two-factor authentication, which is pretty simple with PAM. And they're only accessible if you are in our…
We only do that in bastion servers. It would be a bit trickier with laptops, but doable I guess.
Also, we bind certificates to the hosts that requested them. If a certificate and its private key move somewhere else, they will be useless. ssh-keygen -O source-address=1.2.3.4...
In fact, we use a lot the terms authn, authz, authnz and AAA at Facebook. :-)
We have hundreds of thousands of servers and we also run sshd inside containers everywhere, so we probably have over a million endpoints we can SSH into. Cache is only good for things you login frequently, like your…
We can use RevokedKeys for that, but in fact we normally issue short-lived certificates. If we ever have a mass certificate leak, we'll just rotate the entire CA.
Yeah, I didn't have one, I guess. I was hoping to get notifications from this thread, but no. :-(
I'm a drop out from a 3rd world country and I'm an engineer at Facebook. I'm also an interviewer, an trust me guys. We really don't care where and if you graduated. If you are good, you are in.