Haha, great minds think alike, as they say. One of my colleagues (from a cloud security company) wrote basically the same thing in Go: https://github.com/cloudtools/ssh-cert-authority
There's also a really fantastic product that works via signed SSH certs called Teleport <https://github.com/gravitational/teleport>, from Gravitational, also written in Go. The basic version is open source, but the really useful version with things like SAML federation, is a paid product. On Sat, May 2, 2020 at 1:51 PM Brian Candler <b.cand...@pobox.com> wrote: > The more I think about it, the more I like the self-referential nature of > sshagentca talking to ssh-agent to sign certificates to distribute to > another ssh-agent :-) > > The main security weakness I can see is that ssh-agent will sign any data > you give it - hence anyone who gets direct access to the socket could sign > themselves a certificate with infinite lifetime. ssh-agent can run another > process as a direct child, but I think they still communicate via a unix > domain socket. > > BTW, I think sshagentca is a fantastic little project. One of the things > I've just tested is using a U2F token (ecdsa-sk), as introduced in OpenSSH > 8.2. It works perfectly with sshagentca, which then issues me with a > regular key and certificate (ECDSA-CERT 384). This type of key and > certificate works with older versions of sshd, meaning you can use > sshagentca to bootstrap your security from U2F keys without having to > upgrade sshd on all your hosts. Very neat indeed. > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/6fc082c1-318f-4037-8d5b-aa9710e5eb23%40googlegroups.com > <https://groups.google.com/d/msgid/golang-nuts/6fc082c1-318f-4037-8d5b-aa9710e5eb23%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CA%2Bv29LvPd_QVBXLxQrAfMSMDtfDF4G8u0rgWMud2gRq5cv085g%40mail.gmail.com.
