undefined | Better HN

story

0 pointschiefalchemist4y ago0 comments

Not really. What is the case for not using well vetted best practices and replacing those with an unvetted proprietary solution? What problems does 1PW solve that necessitates taking on such risk?

We're not talking about social media PWs. ssh keys are not something to add risk to, eh.

0 comments

nijave4y ago

1Password is used at a lot of medium-small businesses where employees have shared credentials (usually these smaller businesses don't have built-out identity management systems to cover everything with SSO).

A place I worked before would store SSH keys for build machine base images (AWS AMIs) in 1Password. It wasn't worth the trouble trying to setup SSO since the machines rarely needed accessed and only by a handful of people to troubleshoot/manage them.

It's also common to share credentials when you're working with small SaaS that don't support multiple users or SSO. In addition, sometimes business integrations will have fixed credentials (like the SSH key to upload reports to a business partners SFTP server). People still need access to the keys for troubleshooting and debugging.

hobobaggins4y ago

Would that be a good use case for something like Userify, so that there's no need to store any keys in a base image/AMI where they can't be easily updated/removed? Then you don't need to give your private keys to a third party, either.

nijave4y ago

We didn't store keys in the AMI. We added the public half to EC2 then attached that key to the launch configuration where it gets added to the VMs authorized_keys on startup.

I don't think running a Userify daemon on the server is better than a private key in 1Password. At least with the private key approach, you can layer on network access restrictions (firewall rules or VPN). Userify would need to create an outbound connection to its control plane to manage keys

gunapologist994y ago

The Userify daemon in this case is just a shell or python script (https://github.com/userify/shim) so pretty simple to audit.

1 more reply

culturestate4y ago

> We're not talking about social media PWs. ssh keys are not something to add risk to, eh.

I mean, 1Password already stores my credentials for the AWS console, Cloudflare, Netlify, GitHub, et al. I’m not sure adding my commit keys to that pile is dramatically increasing my exposure.

1 more reply

staticassertion4y ago

Who says your best practices are well tested?

chiefalchemistOP4y ago

Who says they are my best practices? They are established industry best practices.

So again I'll ask: what case does 1PW make to deviate from those?

j / k navigate · click thread line to collapse

0 comments

nijave4y ago

hobobaggins4y ago

nijave4y ago

We didn't store keys in the AMI. We added the public half to EC2 then attached that key to the launch configuration where it gets added to the VMs authorized_keys on startup.

gunapologist994y ago

The Userify daemon in this case is just a shell or python script (https://github.com/userify/shim) so pretty simple to audit.

1 more reply

culturestate4y ago

> We're not talking about social media PWs. ssh keys are not something to add risk to, eh.

I mean, 1Password already stores my credentials for the AWS console, Cloudflare, Netlify, GitHub, et al. I’m not sure adding my commit keys to that pile is dramatically increasing my exposure.

1 more reply

staticassertion4y ago

Who says your best practices are well tested?

chiefalchemistOP4y ago

Who says they are my best practices? They are established industry best practices.

So again I'll ask: what case does 1PW make to deviate from those?

j / k navigate · click thread line to collapse