| 9 Feb 2022 |
 Winter (she/her) | right | 21:12:55 |
| Winter (she/her) | (also, that "and before you jump in." wasn't meant to be rude/negative, right? i can't tell 😅, apologies) | 21:13:22 |
 Zhaofeng Li | No, sorry, that wasn't my intention at all 🙂 I just got reminded of that from the SSH stuff that you mentioned | 21:15:10 |
| 10 Feb 2022 |
| Winter (she/her) | all good :) | 02:14:10 |
| Zhaofeng Li | I do appreciate you pointing out that you perceived it as rude 🙂 It helps me improve how I communicate as a non-native speaker | 02:40:53 |
| Zhaofeng Li | (I meant it in the "now you may ask" sense) | 02:41:18 |
| Winter (she/her) | In reply to @zhaofeng:zhaofeng.li
I do appreciate you pointing out that you perceived it as rude 🙂 It helps me improve how I communicate as a non-native speaker Well I didn't think you meant to be rude (at least, I hoped that you didn't!), but I was pointing out that it could be interpreted as that. | 02:55:03 |
| Winter (she/her) | In reply to @zhaofeng:zhaofeng.li
(I meant it in the "now you may ask" sense) That's definitely a better way of phrasing it, imo. | 02:55:13 |
| Winter (she/her) | Also, unrelated, but how do y'all secure/protect your SSH private keys? It seems like an issue with no perfect solution :c
(since rogue software could easily steal them or utilize them maliciously in every circumstance >.<) | 02:56:25 |
 Buckley | At work I use a smartcard to deploy stuff, and my computer never sees the private key. It can also be done with yubikeys since the can emulate smartcards | 02:57:28 |
| Zhaofeng Li | An alternative solution is with short-lived SSH certificates, signed by an SSH CA that relies some other authentication methods (OIDC, GitHub, etc.). Instead of allowing specific keys, the servers will simply trust the CA. | 04:14:11 |
| Zhaofeng Li | In addition to client certs, servers can also present certificates, so you no longer have to type "yes" for a new host to TOFU anymore and can just have a single line in known_hosts to trusts your CA | 04:16:25 |
| Zhaofeng Li | * In addition to client certs, servers can also present certificates, so you no longer have to type "yes" for a new host to TOFU anymore and can just have a single line in known_hosts to trust your CA | 04:16:30 |
| Zhaofeng Li | There are a lot of CA implementations, including Vault (which I'm using), step-ca, Bless from Netflix (abandoned), and a bunch more | 04:18:18 |
| Winter (she/her) | In reply to @buckley310:matrix.org
At work I use a smartcard to deploy stuff, and my computer never sees the private key. It can also be done with yubikeys since the can emulate smartcards But for YubiKeys to be secure, you need to set it to require touch for every signing action -- which would get extremely annoying with how often Colmena invokes ssh. Of course, you could use ControlMaster, but what if you're deploying 40 hosts? You'd still need to touch it 40 times 😅 | 04:20:08 |
| Buckley | yeah, i dont do that lol | 04:20:40 |
| Zhaofeng Li | * An alternative solution is with short-lived SSH certificates, signed by an SSH CA that relies on some other authentication methods (OIDC, GitHub, etc.). Instead of allowing specific keys, the servers will simply trust the CA. | 04:21:30 |
| Zhaofeng Li | That said, some "hardware crypto wallet"-like thing would definitely be cool | 04:22:08 |
| Buckley | I just unlock the smartcard and it works until i yank it out | 04:22:10 |
| Zhaofeng Li | ... perhaps a little LCD display that shows you the hostname and the command | 04:23:23 |
| Winter (she/her) | In reply to @buckley310:matrix.org
I just unlock the smartcard and it works until i yank it out ~~but then random software can use it~~ | 04:26:22 |
| Buckley | its not perfect | 04:26:47 |
| Winter (she/her) | seems like no solution is | 04:42:50 |
| Winter (she/her) | which is what i'm complaining about, lol
isn't ideal but it's what we have, ig | 04:43:10 |
| Winter (she/her) | the SSH certificate thing looks cool, i'll definitely look into it -- how do you handle stuff like Git forges who won't trust CAs, tho? do you just have a key for those? | 04:44:23 |
| Zhaofeng Li | For the random software problem, perhaps we need stronger compartmentization between applications, like in Qubes and lately SpectrumOS (with Nix) | 04:44:48 |
| Zhaofeng Li | In reply to @winterqt:nixos.dev
the SSH certificate thing looks cool, i'll definitely look into it -- how do you handle stuff like Git forges who won't trust CAs, tho? do you just have a key for those? True, for those use cases you would still need a regular key 🙁 | 04:45:38 |
| Winter (she/her) | how well does Vault work as a CA, btw? | 04:56:30 |
| Zhaofeng Li | In reply to @winterqt:nixos.dev
how well does Vault work as a CA, btw? Fairly usable I'd say. The user experience is slightly awkward for the client certificate, because you pretty much need a helper script or alias to avoid typing the long vault ssh ... or vault login && vault write ... && ssh incantation | 05:10:23 |
| Zhaofeng Li | I followed this blog post for the setup: https://brian-candler.medium.com/using-hashicorp-vault-as-an-ssh-certificate-authority-14d713673c9a | 05:11:35 |
