In any organisation of a large size managing access to servers and cloud resources is difficult.
There is often a tradeoff between convenience and security.
Changing these settings is also a bit scary in production as you can be locked out of your servers…
One solution mentioned by facebook engineering and smallstep is to make use of certificates to authenticate and authorise SSH users.
In this post we will look at what we need to achieve better SSH security and how to implement it…
What we need to know
The topics we should read up on are:
- TLS certificates and public key cryptography
- OpenSSL
- Public Key Infrastructure (PKI)
- SSH
- Hashicorp Vault
Some books might be:
- Network Security with OpenSSL 2009
- Implementing SSL_TLS Using Cryptography and PKI – Joshua Davies 2011
- SSL and TLS Theory and Practice, Second Edition – Oppliger Rolf 2016
- Certificate Management with Hashicorp Vault – blog post
- SSH, the Secure Shell – Barrett Daniel 2009
That is alot of reading.