====== Gestión de Certificados para Acceso ====== Herramientas que permiten gestionar los accesos mediante certificados SSH (//authorized_keys//). * Key Revocation Lists (KRL) [[https://keyper.dbsentry.com/post/anatomy-of-openssh-krl/|Anatomy of OpenSSH Key Revocation List (KRL) File]] ====== Central services ====== * [[https://www.freeipa.org/page/Main_Page|FreeIPA]] manages Linux users and client hosts in your realm from one central location with CLI, Web UI or RPC access. Enable Single Sign On authentication for all your systems, services and applications. * [[https://github.com/Netflix/bless|Netflix Bless]] is an SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH public keys. * [[https://github.com/mikesmitty/curse|Curse]] is an SSH certificate signing server, built as an alternative to Netflix's BLESS tool, but without a dependency on AWS. * [[https://www.hashicorp.com/products/vault/ssh-with-vault|Hashicorp Vault]]provides users a secure way to authenticate, authorize, and automate access to machines via the SSH protocol [[https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates|Signed SSH certificates]]. * [[https://github.com/gravitational/teleport|Teleport SSH]] is the easiest, most secure way to access all your infrastructure. Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, RDP, Kubernetes API, MySQL, MongoDB and PostgreSQL wire protocols. [[https://www.the-digital-life.com/ssh-teleport/|Manage your SSH Servers with Teleport]]. * [[https://sites.google.com/site/jeromeboismartel/code-s-corner/ssh-key-management-with-skimp|SKM]] is a LAMP application that enables a team of system administrators to centrally manage and deploy ssh keys. ====== Certification Authority ====== * [[https://deployando.me/podcast/31-ca-para-ssh/|CA para SSH]] * [[https://github.com/nsheridan/cashier|Cashier]] is a SSH Certificate Authority (CA) ====== Deployment ====== * [[https://github.com/ierror/ssh-permit-a38|SSH Permit A38]] central management and deployment for SSH keys * [[https://code.google.com/archive/p/ssh-keydb/|SSH KEYDB]] provide a way to easily manage the authorized_keys files containing the OpenSSH public keys used for key-pair authentication. Assuming the keys are managed per-user, it is then possible to define roles and memberships on groups of machines for each individual. ====== OpenSSH addons ====== * [[https://github.com/mizzy/openssh-script-auth|SSH Script Auth]] OpenSSH hack allows you to use a custom script to do public key lookup and authentication ====== Otros ====== * [[https://www.usenix.org/conference/srecon17europe/program/presentation/sheridan|Managing SSH Access without Managing SSH Keys]] With some tooling and configuration SSH keys can be replaced with limited-use ephemeral certificates, issued centrally and with better access controls and automatic key expiration, solving many of the shortcomings of using SSH key Video: [[https://youtu.be/NCEQj27A3XA|LISA17 - Managing SSH Access without Managing SSH Keys]] * [[vhttps://www.ssh.com/products/universal-ssh-key-manager/|SSH Universal Key Manager UKM]] Universal SSH Key Manager® (UKM) is a Zero Trust Encryption Key Management solution that automates governing thousands of keys according to compliance and security standards. It mitigates risks, reduces key management overhead, and helps pass IT audits. ====== Cloud Services ====== * [[https://userify.com/|Userify]]: the SSH Key Manager for Clouds. Manage team SSH keys across clouds and continents using Ansible, Chef, Puppet, Salt, CloudFormation, Terraform, or custom scripts.