Skip to content

Instantly share code, notes, and snippets.

Avatar

cmc cmc

  • SF Bay Area
View GitHub Profile
View YubiHSM2 Backed SSH Certificates
### I use HSM backed SSH certs and so can you. [why?: keys can be stolen, certs expire!]
1. Get a YubiHSM2 @ https://www.yubico.com/products/hardware-security-module/
2. Follow this: https://github.com/YubicoLabs/yubihsm-ssh-tool [ Yes, you're going to have to install all the other yubico stuff too, yubico-connector, etc, ..] on your issuing machine, or airgapped machine.
3. Be content that you can now sign certificates with the HSM on the issuer/airgapped machine.
3. Update /etc/ssh/sshd_config on remote server to add:
TrustedUserCAKeys /etc/ssh/ca.pub
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
4. Add principals here:
ex:
View gist:202b73c247d164cfd99fc2b21cf52207
import logging
import os
import requests
import sys
import time
ROOT = logging.getLogger()
ROOT.setLevel(logging.DEBUG)
HANDLER = logging.StreamHandler(sys.stdout)
HANDLER.setLevel(logging.DEBUG)
View keybase.md

Keybase proof

I hereby claim:

  • I am cmc on github.
  • I am cmccsec (https://keybase.io/cmccsec) on keybase.
  • I have a public key whose fingerprint is 9CC9 F1A8 39AD FA13 CC44 927D 972D 9418 25A3 8832

To claim this, I am signing this object:

View keybase.md

Keybase proof

I hereby claim:

  • I am cmccsec on github.
  • I am cmccsec (https://keybase.io/cmccsec) on keybase.
  • I have a public key whose fingerprint is DDDF 2043 76B1 2992 CF53 FE08 6CA2 02FD 2703 7BAF

To claim this, I am signing this object:

@cmc
cmc / keybase.md
Last active Aug 29, 2015
keybase.md
View keybase.md

Keybase proof

I hereby claim:

  • I am cmc87 on github.
  • I am cmccsec (https://keybase.io/cmccsec) on keybase.
  • I have a public key whose fingerprint is DDDF 2043 76B1 2992 CF53 FE08 6CA2 02FD 2703 7BAF

To claim this, I am signing this object: