Keybase SSH CA

For those interested in this approach, but who would prefer fewer moving parts on the actual machines, I have had great experiences with Vault&#x27;s signed SSH CA support, which includes the ability to get very short leases assigned to specific user accounts: <a href="https:&#x2F;&#x2F;www.vaultproject.io&#x2F;docs&#x2F;secrets&#x2F;ssh&#x2F;signed-ssh-certificates.html#signing-key-amp-role-configuration" rel="nofollow">https:&#x2F;&#x2F;www.vaultproject.io&#x2F;docs&#x2F;secrets&#x2F;ssh&#x2F;signed-ssh-cert...</a><p>It&#x27;s possible the Keybase CA bot solves other problems, but as far as &quot;quick to get started,&quot; one cannot beat `curl -sSfo &#x2F;etc&#x2F;ssh&#x2F;trusted-user-ca-keys.pem <a href="https:&#x2F;&#x2F;my-vault:8200&#x2F;v1&#x2F;ssh-client-signer&#x2F;public_key" rel="nofollow">https:&#x2F;&#x2F;my-vault:8200&#x2F;v1&#x2F;ssh-client-signer&#x2F;public_key</a> &amp;&amp; echo &#x27;TrustedUserCAKeys &#x2F;etc&#x2F;ssh&#x2F;trusted-user-ca-keys.pem&#x27; &gt;&gt; &#x2F;etc&#x2F;ssh&#x2F;sshd_config &amp;&amp; systemctl restart ssh-server`

This was a summer internship project at Keybase, and the whole team is thrilled with how it turned out. The OP of this post is the author of the project and would be happy to answer questions here in HN.<p>One of the biggest devops pain points for a large team and large infrastructure is updating N servers every single time a team member is added or removed. Of course there are some other solutions to this problem, but the Keybase one is extra slick and just works automatically once it&#x27;s set up.<p>It&#x27;s also entirely powered by an open-source 3rd party bot, so it can be forked for improvement or to build something else triggered by cryptographic team membership changes.

We keep our pubkeys in sldapd... Since ldap is mainly read only, fairly easy to have many read only replicas for redundancy.