Hacker News new | ask | show | jobs
by POPOSYS 1255 days ago
Do you have some data about how many orgs actually set SSH PAM via LDAP?

Where can I see this data? I would like to check your statements.

We are on the internet, so would you please like to add the source of knowledge to your statements - it is a very basic and good feature called "URL", please use it!

Or do you just want to say "I have not seen many orgs with SSH + LDAP in my career because I have never worked in one and from that I conclude that the whole world works like this"?
2 comments
ilyt 1255 days ago
Most orgs are incompetent. We had same discussion with many of our clients, where their requirement was stupid shit like "change password every month" while we had to negotiate that no, we don't even use passwords in the first place, we use hardware tokens for SSH keys.

And I'm talking about few big local banks, where accounts on Red Hat boxes are still created by some ops dude manually according to some docs.

link
debarshri 1255 days ago
I don't think neither me nor anyone reading that statement would come to a conclusion that the works the way I suggested in that argument.

I can talk about me interviewing and empirical data of talking to dozens of companies from seed to series B and how they have been managing access to servers. But I won't, I would rather urge you to do basic trend search either on google or your favorite platform for SSH PAM via LDAP or SSH LDAP and see it for yourself where the world is heading [1].

[1] https://trends.google.com/trends/explore?date=today%205-y&q=...

link
mbreese 1255 days ago
Oh, I’m sure it’s super rare. It’s actually quite easy to setup, but I’m not sure many people bother with the setup because LDAP (I’m not counting Active Directory) in general isn’t all that common. I know this just from the rarity of articles posted about getting it configured.

But once you do it, it’s something that’s easy to keep using because it’s so useful.

My favorite was setting up LDAP in combination with a jump host where I had a special program for the SSH command shell (like prgmr.com). I had it setup where the use could authenticate with a password, but then upload an SSH key from the custom shell.

link
debarshri 1255 days ago
I am not debating the usefulness of LDAP integrated with SSH. I am agree with you.
link
pnutjam 1255 days ago
Based on the interviewing I did last year, the clear trending solution, for enterprise, is Cyberark. I saw that all over the place for root password management.
link
debarshri 1254 days ago
Cyberark [1] and delinea [2] are definitely leading enterprise solution right now. Okta too has an offering in this space but I haven't seen it used widely yet.

But there are quite some solutions in market at this point that are in growing trend. You would find teleport [3], strongdm [4] in high growth companies where as Adaptive.live [5], Idemium.io [6] and now hoop.dev in the early stage to series B.

[1] https://www.cyberark.com/

[2] https://delinea.com/thycotic

[3] https://delinea.com/thycotic

[4] https://www.strongdm.com/

[5] https://adaptive.live/

[6] https://idemeum.com/

link
mbreese 1255 days ago
This isn’t root password management. Or at least, it shouldn’t be. Users shouldn’t have root passwords for end devices. This is about controlling access to remote servers and/or sudo access to those servers. None of which requires the root password on the remote server, unless I’m missing something. Is this for more ephemeral keys?
link