Show HN: SSH Permit A38 – Central Managment and Deployment for SSH Keys (opens in new tab)

FreeIPA - I wish more people knew about this. You can tie a public SSH key to a user (users can also self-register them) and it is automatically recognized on all hosts joined to the IPA domain, if you want to limit who has access to what the integrated RBAC facilities are there to handle that as well.

Have you looked at ScaleFT? https://www.scaleft.com

They apply BeyondCorp style management for both server and web access.

There is also Teleport by Gravitational: https://gravitational.com/teleport/

I love vault's functionality around this: https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-cert...

Along with something like Packer to bake the cert right into the image.

We (Foxpass, https://www.foxpass.com/) are a YCS15 company offering a SaaS (or on-prem) service to handle SSH key management & rotation, plus user and group management.

With our API, some customers are creating dynamic access rules (for example, an on-caller might have 'sudo' during their on-call week, but not at other times).

Like a hosted FreeIPA, but more powerful.

If you're managing large amount of servers and don't want to update configs on the servers themselves then use e.g. OpenLDAP.

You're much better off using AuthorizedKeysCommand as vertex-four suggested, and ditch passwords completely. It just needs to return the SSH public key of the login user. You can get that from any backend you like. If you have an LDAP server, great. But it doesn't have to be anything fancy; you could pull the user's key off a web server!

Distributing accounts and SSH keys via any configuration management system is clunky by comparison, and scales badly when you get to many hundreds of users and thousands of servers.

It doesn't. A bit faster maybe.

Ansible is perfect for deploying SSH keys.

Nice. I do the same, with Saltstack. I manage all my users' access, including account creation and removal, password setting, and key management. Easy peasy.

Can you post an example of this? Link works too.

If you’re in AWS, wouldn’t SSM agents on instances be preferable to SSH access? That provides for both access control (IAM for user access, SSM documents for constraining command execution authority) and auditing/logging of executed commands (CloudTrail).

This does not work for interactive terminal use cases, but does work (in my experience) if you’re targeting immutable instances. It also has the lovely side effect that you can create scheduled tasks within the AWS control plane (if that’s your cup of tea).

Example SSM client: https://github.com/itsdalmo/ssm-sh

Disclaimer: I’m implementing this in a large enterprise environment.

It resonates highly with the kind of bureaucracy that Germans have to put up with.

Therefore it wouldn't surprise me if this scene is most popular with Germans and others nationalities only regard it as a funny, exaggerated sequence. Whereas for Germans it hits close to home.

No idea but I'm dutch and this used to be one of my favorite movies, so it could also have been a dev from the Netherlands. I love indeed how it describes bureaucracy but I used to really love that Chef that keeps bringing food enthusiastically.

Asterix Andy Obelix are big in Germany At least in my childhood:-D But it is French

Not sure if the ship was named after it as well, but Permit A38 references a scene from an Asterix and Obelix animated film (https://en.wiktionary.org/wiki/Passierschein_A38; https://www.youtube.com/watch?v=GI5kwSap9Ug). The comic series by René Goscinni and animated films were very popular in Europe, probably not so much in the US.

Permit A38 refers to a scene where the protagonists are referred multiple times within a overly beaurocratic Roman administrative office, so it has become sort of synonymous with a Sysiphean task in German language (at least in limited circles).