keymaster
bless
keymaster | bless | |
---|---|---|
7 | 6 | |
114 | 2,729 | |
1.8% | 0.2% | |
6.8 | 0.0 | |
15 days ago | 9 months ago | |
Go | Python | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
keymaster
- How about Hashi Boundary instead of a VPN?
-
Ask HN: What are some tools / libraries you built yourself?
Also became a fun learning experience about terminals.
https://github.com/ThomasHabets/cmdg
I wanted to use GMail from a fast cli that used the native gmail API.
https://github.com/ThomasHabets/rslurp
I wanted to download concurrently and according to patterns. Ok, so honestly this one probably exists somewhere in a form that I would like, but I couldn't find it.
https://github.com/ThomasHabets/sim
I wanted multi-party authorization for sudo, and couldn't find one.
https://github.com/ThomasHabets/monotonic_clock
People kept using gettimeofday, so this is part of my compaign against it. (see https://blog.habets.se/2010/09/gettimeofday-should-never-be-...)
https://github.com/ThomasHabets/gtping
I worked in mobile core networks, and wanted a "ping" that used the GTP protocol since that won't be firewalled.
https://github.com/ThomasHabets/ind
I wanted my bash scripts to have automatic indentation, while not sacrificing buffering latency and such.
https://github.com/ThomasHabets/tlscheck
I wanted a simple tool to audit my TLS certificates for expiry.
https://github.com/google/huproxy
I was travelling to China on vacation and wanted a VPN out that would be unlikely to be blocked by the great firewall. Ok, so there are many VPN-like tools for getting through the GFW. Maybe it was just an excuse for me to write it. Honestly ssh -D would have likely worked just fine. It's being used by the keymaster project now though, so maybe it did something right: https://github.com/Cloud-Foundations/keymaster/blob/master/d...
https://github.com/google/tcpauth
I wanted to lock down SSH to anyone who doesn't have a secret key (and portknocking is usually ridiculous). Why not use TCP MD5 for it? https://github.com/google/tcpauth
-
self hosted pki solutions?
Keymaster works great for users. Can issue user x509 and ssh certs. DNS challenge for server certs. I use Traefik for that.
-
Self hosted 2FA service ?
-- This! I use this with Keymaster. Works very well.
-
Alternative to Termius?
I'm a fan of signed / temporary keys. Check out https://github.com/Cloud-Foundations/keymaster
-
Why SSH certificates are awesome
Documentation
bless
-
What are SSH Certificate Authority solutions?
In the quick search I learned about ssh cert authority which looks very manual and also like a dead project smallstep's step-ca who put together very nice article about how to begin certificate authority process Netflix' BLESS is AWS only Cashier which also looks quite ok
-
What is the best way to manage SSH identities and access on scale?
NETFLIX BLESS - Bastion's Lambda Ephemeral SSH Service
- Has anyone here heard of the term “infrastructure access platform” or StrongDm or Teleport?
- Cryptojacking Attacks Continue To Target SSH Servers
- How often should I rotate my SSH keys?
-
Why SSH certificates are awesome
3. BLESS - By Netflix
What are some alternatives?
certificates - 🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
Gravitational Teleport - The easiest, and most secure way to access and protect all of your infrastructure.
the-bastion - Authentication, authorization, traceability and auditability for SSH accesses.
gutenberg - A fast static site generator in a single binary with everything built-in. https://www.getzola.org
cashier - A self-service CA for OpenSSH
vouch-proxy - an SSO and OAuth / OIDC login solution for Nginx using the auth_request module
openssh-sk-winhello - A helper for OpenSSH to interact with FIDO2 and U2F security keys through native Windows Hello API
Pomerium - Pomerium is an identity and context-aware reverse proxy for zero-trust access to web applications and services.
streamalert - StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.
teleport - A WebXR teleport for three.js
sekey - Use Touch ID / Secure Enclave for SSH Authentication!