Hacker News new | ask | show | jobs
by kevincox 2178 days ago
I think it depends. I've worked in places that had something like the following setup.

- Hardware in datacenters with operators who were not experts on the applications running. - All remote access was done using a short term (~1 day) ssh keys. There was an authentication service to generate these.

It was pretty easy to imagine that the authentication service would go down. In this case a selection of people who worked on the infrastructure had longer-term keys on HSMs. (With very high logging and alerting for any use). It would actually make sense for these to be CA keys so that they could access different user accounts or similar.

TL;DR you are assuming a very basic SSH auth setup. As the regular setup gets more complicated having something like this as a backup makes sense.
1 comments
marcosdumay 2177 days ago
> All remote access was done using a short term (~1 day) ssh keys. There was an authentication service to generate these.

This is weird. Really weird.

Did that service use a more secure authentication storage than a password protected key?

link
jon-wood 2177 days ago
It’s really not - by limiting the life of keys, and having a service generating them, you can more effectively lock things down when someone leaves, rather than going round revoking keys from servers. Something we’re experimenting with at work is AWS Instance Connect, which uses your AWS credentials to push a key to a target instance with 1 minute validity - no more managing keys on instances, and revoking access is just a change to an IAM policy.
link
dsr_ 2177 days ago
As opposed to having a few bastion-hosts, and requiring people to log in there in order to then ssh on to their final destinations -- in that case, revoking their keys is as simple as wiping their accounts on the bastion hosts.
link
jon-wood 2176 days ago
Even with a few bastion hosts things get hard to track quickly as you end up with multiple clusters (dev/staging/UAT/production), and potentially multiple production clusters in different regions.
link
Spooky23 2177 days ago
It seems weird but has several advantages. Most places screw up defunct account cleanup and privilege management.

A process like this allows you to ensure that people have the access they need and makes it easy to get them the privilege separation needed.

link
kevincox 2177 days ago
Yes, the system used multi-factor auth and could be locked for suspicious activities.
link