[batbomb]

I'd like to see an MFA-version of Kerberos/kinit, and a PAM module that checks for ticket revocation on login.

That's not so different from BeyondCorp and Uber's model.

Alternatively, some kind of OpenID Connect init (oidcinit) to get a JWT and then a PAM module like the kerberos one (which also checks the JWT's Key Id for revocation on authentication)

[Boulth]

From what I've read about BeyondCorp it's far more sophisticated than just Teleport. It's also a service monitoring status of a device including boot security throughout the entire life of the decide, private keys stored in TPM, plus various tiers that depend on multiple factors.

[jsilvers]

Author here. Yes, Beyondcorp is a farther ranging approach to security, and SSH is one piece of it. https://www.beyondcorp.com/

[rgooch]

I think we have just the (Open Source) solution for you: https://bit.ly/Keymaster https://github.com/Symantec/keymaster This issues MFA-ed ephemeral credentials: SSH certs, Kerberos compatible X509 certs, X509 certs for Kubernetes and well as being an OpenID-Connect/OAuth2 IDentity Manager.

[somepig]

freeipa has this

users with totp tokens can kinit using their password+totp in the password field. better still, if you use PAM for all your services, you you can define hbac rules allowing users access to specific services on specific hosts.

the caveat is that the freeipa servers must be available to provide authorization even once the ticket is issued. with x509, the authenticating host doesn't need to rely on a server for anything but CRL checks