Managing SSH Access without Managing SSH Keys

Friday, November 03, 2017 - 2:00 pm2:30 pm

Niall Sheridan, Intercom


Everyone uses SSH to manage their production infrastructure, but it's really difficult to do a good job of managing SSH keys. Many organisations don't know how many SSH keys have access to production systems or how protected those keys are. A trusted SSH private key can be years old, unprotected by passphrase, and shared among multiple people who may not even work for you.

With some tooling and configuration SSH keys can be replaced with limited-use ephemeral certificates, issued centrally and with better access controls and automatic key expiration, solving many of the shortcomings of using SSH keys.

This talk will cover:

  • Managing SSH keys: The bad parts
  • Replacing SSH keys with ephemeral certificates: how & why
  • Discussion of an implementation of a CA for SSH certificates
  • Call for participation, showing github source

Niall Sheridan, Intercom

Niall Sheridan is an SRE on Intercom's infrastructure team. His main interests are automation, monitoring, and he loves a good post-mortem.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {207253,
author = {Niall Sheridan},
title = {Managing {SSH} Access without Managing {SSH} Keys},
year = {2017},
address = {San Francisco, CA},
publisher = {USENIX Association},
month = oct

Presentation Video 

Presentation Audio