Ad Hoc SSH Access Using Signed Tokens

Thursday, June 13, 2019 - 3:00 pm3:30 pm

Daniel Bourque, Facebook


Static SSH access permissions can severely slow down troubleshooting and testing in large organizations. Do you enjoy waiting for DBAs to be granted access to servers you're trying to fix ? Not only is this frustrating for you and your customers, it often results in teams unnecessarily granted permanent admin access to large portions of your fleet.

This talk will demonstrate how we built a secure, yet convenient temporary SSH access granting mechanism that is both ad-hoc and peer based. After a brief recap of SSH Certificate based access, I will detail how to use x509 signed tokens to grant short lived SSH certificates on demand.

Daniel Bourque, Facebook

Dan has been building distributed unix/linux systems at various scales for over 15 years. He loves automation, reliability and clean, simple designs. He currently focuses his work around security.

@conference {233213,
author = {Daniel Bourque},
title = {Ad Hoc {SSH} Access Using Signed Tokens},
year = {2019},
address = {Singapore},
publisher = {USENIX Association},
month = jun

Presentation Video