We're a small company. We have several servers that we access through SSH. We like to centralize SSH access.<p>Current solutions we are aware of:<p><pre><code> - Share the SSH keys, e.g. on a shared filesystem.
- Distribute SSH public keys of users with Puppet, Ansible, etc.
- https://goteleport.com/ (a fancy bastion host)
</code></pre>
What I'm looking for:<p>A tool, with which an employee requests access to a server and automatically gets a signed ssh key in return which has limited validity. This key is automatically loaded into the ssh-agent. Ideally, the '~/.ssh/config' is adjusted, so that the correct username is used, and '~/.ssh/known_hosts' is updated with the server's public key digest.<p>What I imagine from the perspective of the user:<p><pre><code> - 'tool auth'
> Check if authenticated with the central key management server
> Otherwise OAuth with my regular SSO (e.g. Google Workspace)
- 'tool ssh server0.corp.com'
> Check with the central key management server if the user has permission to access server0.corp.com
> If yes, issue a time-constrained certificate (or sign the user's local public key, whatever)
> Ensure that the server is configured correctly in '~/.ssh/config'
> Ensure that the server public key digest is in '~/.ssh/known_hosts'
> Add the certificate to ssh-agent
- Run the ssh-based command, e.g. 'ssh server0.corp.com', 'scp local_file server0.corp.com:remote_file', 'ansible-playbook ...', 'git pull -pr' or whatever
</code></pre>
Does such a system exist? Ideally something that is easy to deploy to a cloud if it would be self-hosted (and in the best case makes use of Azure KV, Google KMS, AWS KMS, Vault, ...) or that is hosted (i.e. offered as a service).<p>From the operator perspective, it should not take more than configuring the PKI in OpenSSH and/or maybe install an agent on the server. (But it'd be great if that would not be necessary (as OpenSSH afaik can already handle PKI) and if the PKI-related tasks were handled through Ansible/Puppet/etc. or the 'tool'.)