Hacker Newsnew | past | comments | ask | show | jobs | submit | L2hhdGNoZXQv's commentslogin

Upvoting, maybe.


> If you access many machines, how will you know when one is compromised? How will you prevent an attacker from logging in as you?

Even better is to use SSH certificates. That way you don't have to deal with authorized (usually permanent) keys.

Once the SSH CA is installed in the host, the client can generate temporary asymmetric keys and sign them with the CA key before every connection.

There are a few ways to set up this scenario, here's one using Vault:

https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-cert...


Not sure that's any better in security terms. It has some ease of use and central management benefits but also some significant complexity (setup and maintenance of a CA).

My setups just used puppet to manage a authorized key directory on each machine (basically one line of code), assuming you have a working puppet setup of course.

I'd consider either approach significantly more secure than passwords which is a much worse approach.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: