I've been working on a small service for inserting ssh certificates into
ssh forwarded agents. See https://github.com/rorycl/sshagentca
The idea is that if you have an ssh forwarded agent with a certificate signed
through the service, you can connect to any ssh server which has the
TrustedUserCAKeys ssh setting set to the public part of the caprivatekey
keypair (other permissions such as principals permitting).
The server takes the following arguments:
sshagentca -pvt <privatekey> -ca <caprivatekey> -a <authorized_keys>
[-i <ipaddress>] [-p <port>] settings.yaml
The privatekey is an ssh server private key, and the caprivatekey is the ssh
server's Certificate Authority private key. On startup the user is prompted for
the passwords for each of these keys.
Is there a more secure way of doing this? Is using something like memguard
(https://github.com/awnumar/memguard) recommended to protect the passwords in
memory?
Based on Thaler and Sunstein's principle of "the nudge" I also wonder if it
would be a good idea to have the caprivatekey passed in by stdin, to encourage
users not to store the caprivatekey with the programme. (Passwordless private
keys are not permitted.)
Thanks for any comments
Rory
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/golang-nuts/3e22a9fb-0fef-450c-bc0e-a4250108657e%40googlegroups.com.
