[NZLUG] Key Management Service

Guy K. Kloss guy at kloss.nz
Tue Jul 19 15:07:53 NZST 2016


Hi all,

we've set up a system composed of a good dozen of machines, with many
users, etc. In this system, for different tasks SSH and GnuPG keys need
to be managed. This management needs to happen securely in a
"centralised way" (though probably redundant for high availability). The
keys managed are commonly for machine users and admins, not for end
users. Some of the things this system is required to do is the following:

* manage private and public keys for different users on different
  hosts

* manage SSH and GnuPG key pairs

* allow for managed expiry of keys (TTL = time to live)

* allow for central revocation/cancellation of keys

* allow for central key renewal (or at least alerting for
  key expiry)

* allow for access to the key pairs from users on the different
  hosts on an authenticated basis

We're currently running FreeIPA in the environment for the general
central authentication and user/permission management. But it's not
sufficient for centrally managing SSH and GnuPG keys. The (remote)
system is quite strongly hardened (with a number of sub-net domains, and
has undergone some significant security audits and pen testing already).
One of the few open tickets is to get a stronger hold on the SSH and
GnuPG key pairs, mainly for the different machine users.

Would anybody know what could be used for that? I haven't stumbled upon
anything that seems suitable doing a few simple Google searches. I'd
prefer something in free/open source, but if nothing's around, I'm also
willing to consider something commercial/proprietary.

Any input is welcome.

Thanks in advance,

Guy

-- 
----> µ wisdom brought to you by Guy K. Kloss <----
»Wo kämen wir hin,
wenn jeder sagen würde  | ... guy at kloss.nz ...
"wo kämen wir hin?"     | Phone:  +64-9-550 8499
und keiner ginge los,   | Mobile: +64-210 2323 715
um zu sehen,
wo wir hinkämen«

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nzoss.org.nz/pipermail/nzlug/attachments/20160719/edf289e5/attachment.sig>


More information about the NZLUG mailing list