SSH certificates for a federated world

Mads Freek Petersen
TrackTrack 3
DescriptionTo allow easy access to SSH based services in Denmark, DeiC has made a SSH Certificate Authority that issues short-lived SSH certificates based on a federated login. The system requires no specific client - or service side installed programs and makes it possible for the user to use all standard ssh services - as long at the certificate is valid. Depending on the configuration of the participating services the CA allows the user to use the same username/uid across all services. Optionally it can be combined with systemd-userdb services to allow for fully automated user management. The CA also issues host certificates so the users do not have to trust the servers on first use (TOFU).

Presentation documents

All talks