Weekend Project: Single sign-on for SSH скачать в хорошем качестве

Weekend Project: Single sign-on for SSH

This video explains how to set up single sign on (SSO) for SSH using open source tools. Behind the scenes, we'll use OpenID Connect (OIDC), short-lived SSH certificates, Smallstep's open-source SSH Certificate Authority, and a couple of clever SSH configuration tweaks. We'll start by setting up the CA. Then we'll bootstrap a new EC2 instance with our CA and configure SSHD. And finally, we'll set up the end-user SSH environment locally and sign in to our new host! While this approach requires more up-front work than a typical SSH public/private key setup, it comes with a lot of benefits that extend beyond single sign-on. It eliminates the need for having authorized_keys files on your servers, it offers passive revocation of SSH user certificates (they only last one day—whereas public/private key pairs never expire), it eliminates the need to trust a new host's key fingerprint when a user first connects, and it adds MFA authentication to SSH, if you want that. We use Google OAuth, but you can use any OAuth OIDC provider you like. Follow along with our blog post: https://smallstep.com/blog/diy-single... Here's the script we'll use to bootstrap the SSH CA in an Ubuntu 18.04 instance: https://gist.github.com/tashian/244fc... And here's the script for bootstrapping an EC2 host that delegates authentication to our SSH CA: https://gist.github.com/tashian/fde43... Questions? Connect with us on GitHub Discussions: https://github.com/smallstep/certific...