Hello some comments below
On Tuesday 13 of September 2016 08:51:12 Ohad Levy wrote: > Hi, > > I was looking at [1] which talks about how to leverage a CA for managing > SSH access, and I thought it could be interesting for REX and potentially > for foreman to manage. > > In the post, they describe how they create different principles (groups - > think hostgroups) for access, generating certificates with expatriation etc. > > Since we already have some of the certificate handling code (puppet ca, > pulp / katello certs) I wonder if it make sense to generalize it and offer > SSH certificates (and their management and possible an auditing system for > their usage) offering? I was thinking about this earlier, the major benefit I see is that in case we change the key that Foreman uses we wouldn't have to update all hosts. Since we currently only install it during provisioning it might be very helpful. OTOH we should also provide puppet module that would configure this key so there's easy way to update it also for unmanaged hosts. Then the CA might not have that many benefits, we'd have to distribute the CA pub key instead of the main pub key. Probably the biggest benefit would be the key expiration. If we decide to generalize the CA handling I'd first look if we could use something existing, e.g. FreeIPA. Maybe we could provide our simple backend too but I'd like to avoid building our own CA on top ssh-keygen :-) I'd also like to keep it in separate plugin - probably rex. -- Marek > > Ohad > > [1] > https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-w > ith-ssh/ -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
