Our great sponsors
-
Gravitational Teleport
The easiest, and most secure way to access and protect all of your infrastructure.
-
cli
🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc. (by smallstep)
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
-
-
age
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
ssh-principal-and-ca-playground
Dockerized setup of SSH with a Certificate Authority and Principals configured
-
-
packages
Community maintained packages for OpenWrt. Documentation for submitting pull requests is in CONTRIBUTING.md (by openwrt)
-
-
fides
Discontinued Fides is an SSH certificate signing server. It enables zero-trust infrastructure for your engineers by dynamically, and transparently, issuing short-lived certificates with clearly defined permissions. (by Radiergummi)
Sasha, CTO @ Teleport here.
I agree, our enterprise product is quite expensive. Let me explain why:
* We are going through several security audits by third party agencies several times per year. We are trying to hire the best security agencies to audit our code and it is quite expensive.
* We are recruiting globally and try to place our comp at 90th+ percentile of the compensation as listed in opencomp.com and other sources we have access to.
* Our sales process also takes time, and the sales team employs sales engineers, sales and customer success specialists to assist with deployments of such a critical piece of the infrastructure.
* For all our employees we have wellness benefits for home office improvement, personal development, healthcare packages.
All of these factors above add up and we charge a lot for building a quality security product supported 24/7 across the globe.
However, this might not work for everyone, and we have a completely free and open source version that people can use without ever talking to our sales team:
https://github.com/gravitational/teleport
And they have an open issue for producing a chocolatey package: https://github.com/smallstep/cli/issues/365
https://github.com/satoshilabs/slips/blob/master/slip-0039.m...
> Shamir's secret-sharing provides a better mechanism for backing up secrets by distributing custodianship among a number of trusted parties in a manner that can prevent loss even if one or a few of those parties become compromised.
> However, the lack of SSS standardization to date presents a risk of being unable to perform secret recovery in the future should the tooling change. Therefore, we propose standardizing SSS so that SLIP-0039 compatible implementations will be interoperable.
> these people seem to think that cannot be done in a shell script because the password needs to be entered interactively.
That's what autopw[1] is for. ;p
[1] https://github.com/jschauma/sshscan/blob/master/src/autopw
I feel that trying to make SSH keys short-lived is becoming more painful each year because there's an increase of tools that use SSH keys for purposes other than SSH logins. For example, age [1] encrypts files with SSH keys, agenix [2] does secrets management with it, Git can now sign commits with it [3], and even ssh-keygen can now sign arbitrary data [4]. All of these become useless the moment you start using short-lived keys.
[1]: https://github.com/FiloSottile/age
[2]: https://github.com/ryantm/agenix
[3]: https://calebhearth.com/sign-git-with-ssh
[4]: https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html
I feel that trying to make SSH keys short-lived is becoming more painful each year because there's an increase of tools that use SSH keys for purposes other than SSH logins. For example, age [1] encrypts files with SSH keys, agenix [2] does secrets management with it, Git can now sign commits with it [3], and even ssh-keygen can now sign arbitrary data [4]. All of these become useless the moment you start using short-lived keys.
[1]: https://github.com/FiloSottile/age
[2]: https://github.com/ryantm/agenix
[3]: https://calebhearth.com/sign-git-with-ssh
[4]: https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html
Agreed--SSH certificate authorities (and principals) are powerful things that can be used to manage SSH access at scale. My workplace is a large enterprise that uses our own CA for getting access to systems--the keys it issues are good for 8 hours, then we have to grab a new key (using an internal utility).
For anyone who is interested, I put together a little playground which can be spun up in Docker that allows you to play around with and learn how SSH CAs and Principals work:
https://github.com/dmuth/ssh-principal-and-ca-playground
Hey, I'm Sasha, CTO @ Teleport. I have designed our interview process and have described it here:
https://goteleport.com/blog/coding-challenge/
We are also trying to be as transparent as possible with our challenges being open source:
https://github.com/gravitational/careers/tree/main/challenge...
and requirements being published here:
https://github.com/gravitational/careers/blob/main/levels.pd...
I am sorry to hear that you had bad experience. Our interview process is a trade-off and has one big downside - it may take more time and efforts compared to classic interviews. It could also feel disappointing if the team does not vote in favor of the candidate's application.
However, if there was something else wrong with your experience and you are willing to share, please send me an email to [email protected].
Which is why I installed openssh-server on my OpenWrt hosts. However, due to a bug [0] in openssh-server package in the latest 21.02.2 release of OpenWrt, OpenSSH doesn't allow you to login in failsafe mode on an OpenWrt host. Because my OpenWrt host lacked a recovery mode, it was essentially soft bricked.
I was able to recover it using the serial port but even after all this, the comfort of using SSH certificates on all of my nodes was enough to keep making me use it instead of Dropbear.
[0]: https://github.com/openwrt/packages/issues/17833
That's a fair concern. We don't have extra steps to the interview process, our team votes only on the submitted code. However, We did not spend enough time thinking about automating as many of those steps as possible as we should have.
For some challenges we wrote a public linter and tester, so folks can self-test and iterate before they submit the code:
https://github.com/gravitational/fakeiot
I'll go back and revise these with the team, thanks for the hint.
If you do it right, certificates will be signed as needed and have a short validity period, say half an hour or something. That means you need an automated signing application, or a very cheap full-time certificate manager.
I’ve actually started working on such an app recently, including a web portal, CA rotation, automated configuration distribution, etc. Still far from usable, but if you’re interested in contributing: https://github.com/Radiergummi/fides
Related posts
- Microsoft fixes 5-year-old Defender bug, reducing Firefox-related CPU use by 75%
- A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons
- Tox Core is one of the nicest-to-read C codebases
- Ask HN: Hosting a CLI Tool via SSH?
- SQLite virtual table to query operating system data via SQL