Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

1) Programmatically issue certificates with short lifetimes after authenticating against your IdP. This way if a user is deactivated in LDAP their access will expire on its own after a few hours.

2) Firewall off all but a few bastion hosts and ProxyCommand through those. Immediate revocation can be assured by updating the CRLs on those specific hosts.



This is definitely the premise of what I was going for with the post. I'm a firm believer in the idea that short-lived certificates which expire by default are one of the best ways to provide access to infrastructure, and enforcing that access comes from a limited list of bastions gives you an easy choke point to withdraw access as desired when you need to.


Isn't there a netflix ssh CA that does this?


yes, it's called bless.

https://github.com/Netflix/bless

there's also cashier

https://github.com/nsheridan/cashier


Buy why go through the extra effort compared to just having your servers ask the IdP for the user's keys?


If your IdP goes down, how will you SSH in to fix it?


Having been on the rough end of this during a huge LDAP outage, I can confirm that LDAP is great until such time as it isn't.


+1 this is no fun.


Currently we use the root "physical" console. Generally we avoid IDP outages by keeping our LDAP servers clustered and geographically diversified. Because LDAP is 99.999% of the time reads, not writes, this makes clustering pretty simple.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: