SSH authentication using user and machine identities
HTML-код
- Опубликовано: 1 окт 2024
- media.ccc.de/v...
Strong authentication requires multiple signals: identity claims proves that identity of the person, while device attestation proves possession of a given machine, and device bound keys prevent the key from being stolen.
In this presentation we will take a look at how the TPM provides device attestation and device bound keys. We will connect this with identity claims from SSO providers to provide a centrally managed short-lived SSH certificates for users and their devices. This is implemented as an open-source project called “ssh-tpm-ca-authority”.
Morten Linderud
cfp.all-system...
#asg2024
Licensed to the public under creativecommon...
Great talk and very cool functionality!
I've been looking at enterprise PKI products for a customer that do this, notably Smallstep and Okta, both starting to leverage Device Attestation features for binding certificates to hardware for this very purpose. We began looking for internal enterprise PKI certificates for remote authentication (vpn) and networking (wired/wireless lan, 802.1x), but really want to leverage this for server access (ssh, tls applications) consistently using the same x.509 certificates in orchestration with the IDP since Okta now supports DA features.
I'm glad to see more on this topic from folks looking for and/or creating solutions too.