Enterprise SSH Key Management

[serjsk8]

Hello,
I'd like to hear your opinion and share experience.
This post is not related to FreeBSD.

Background:
We have a enterprise OnPrem environment with the following setup:

• Users: 1,000+
• Infrastructure: 400+ Windows/Unix VMs.
• Authentication: Microsoft Active Directory for user accounts, with passwords expiring every 45 days.

We need to implement automated SSH certificate management that supports short-lived certificates.
Security team requires regular certificate rotation.

I'm looking at:
- HashiCorp Vault

Has anyone implemented something like this?
What's the easiest way to automatically issue short-lived SSH certificates to many users?
What works best in practice?

 

[tingo]

Vault is common (used a lot in projects I work with). Unfortunately I'm just a user, so I can't say how easy the automation part is.
However, any centralized secrets storage system worth it's salt should offer you policies that can be enforced.

 

[cracauer@]

Kerberos tickets for ssh.

I have no idea how that plays with AD.

 

[atax1a]

AD is kerberos in the backend, with magic microsoft pixie dust on top. it is hypothetically possible to integrate ssh with that.

 

[SirDice]

Kerberos tickets for ssh.

it is hypothetically possible to integrate ssh with that.

This. But its tricky if you need service accounts logging in remotely. Works fine for the typical 'user' accounts though, nice added benefit, single sign-on if implemented correctly.

Cross-domain trusts work fine, cross-forest trusts only if they're two way.

Also, since ADS is basically a bastardized combination of Kerberos, LDAP and DNS, you can actually store your SSH keys in AD.

 

[Michael-O]

You want SSSD2 then, no SSH keys with Kerberos. Though, I don't use SSSD2 yet, Kerberos perfectly works with `.k5login`. We even use keytabs from CI/CD jobs..