bless
pam-ussh
bless | pam-ussh | |
---|---|---|
6 | 3 | |
2,729 | 827 | |
0.2% | 0.0% | |
0.0 | 0.0 | |
9 months ago | about 1 year ago | |
Python | Go | |
Apache License 2.0 | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
bless
-
What are SSH Certificate Authority solutions?
In the quick search I learned about ssh cert authority which looks very manual and also like a dead project smallstep's step-ca who put together very nice article about how to begin certificate authority process Netflix' BLESS is AWS only Cashier which also looks quite ok
-
What is the best way to manage SSH identities and access on scale?
NETFLIX BLESS - Bastion's Lambda Ephemeral SSH Service
- Has anyone here heard of the term “infrastructure access platform” or StrongDm or Teleport?
- Cryptojacking Attacks Continue To Target SSH Servers
- How often should I rotate my SSH keys?
-
Why SSH certificates are awesome
3. BLESS - By Netflix
pam-ussh
-
Sudo rules when using SSH certificates
One solution could be uber-pamussh which allows to reuse the SSH certificate and the given principals as filter for sudo access. Sounds great and works pretty god, but the issue is that the repo is not maintained (or has at least a low activity) which makes me doubt if this is a good solution.
-
Locking Down SSH - The Right Way
Yep. We're using Vault to provide SSH certs, and it works like a dream. For certain servers, we're even using this PAM module to provide passwordless sudo: https://github.com/uber/pam-ussh
-
Why SSH certificates are awesome
Uber’s PAM module
What are some alternatives?
certificates - 🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
sshrimp - 🦐SSH Certificate Authority in a Lambda (on the barbie)
the-bastion - Authentication, authorization, traceability and auditability for SSH accesses.
cashier - A self-service CA for OpenSSH
openssh-sk-winhello - A helper for OpenSSH to interact with FIDO2 and U2F security keys through native Windows Hello API
keymaster - Short term certificate based identity system (ssh/x509 ca + openidc)
streamalert - StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.
sekey - Use Touch ID / Secure Enclave for SSH Authentication!
bundlewrap - Config management with Python
secretive - Store SSH keys in the Secure Enclave