undefined | Better HN

0 pointsg_p4y ago0 comments

Great to hear, and nice work with the project so far!

I think it definitely makes sense to focus on getting the minimum viable feature set ready first - the only reason for suggesting certificates was it seemed like the kind of area where a caddy-based setup could really help simplify the process for users, and make it easier. Users hate trying to manually define quirky configs, but I could see some well-thought-through caddyfile syntax based on extractors and pattern matching with some useful defaults proving very useful for a range of scenarios that would make it very quick to deploy.

Things like "fetch the username from this field, let the user log into anything with that username", then expanding to say "... As long as the server thinks it's in a group that the user certificate lists", and "let them log in as any user, but only to hosts in a group listed here in the certificate". With user, group and hostname you likely have a lot of what people would need, aside from sane defaults like checking expiry and validity, checking signature on the certificate, and some kind of usable revocation checking, which is always an annoying pain point for any long lived certificate-based system, but which a system like caddy could make into child's play!

0 comments

1 comments · 1 top-level

francislavoie4y ago

You're not wrong -- Caddy has a PKI app built-in, which is basically a wrapper around Smallstep's CA libs. That could be used to issue SSH certs as well, probably.

j / k navigate · click thread line to collapse