HackerTrans
TopNewTrendsCommentsPastAskShowJobs

traumivator

no profile record

comments

traumivator
·2 ปีที่แล้ว·discuss
You are very close to solving a real business problem. The problem is not "how can I have SSH aliases on my computer" but "how can we manage, company-wide, who can access which SSH servers."

My company currently uses YubiKeys to support hardware-based individual SSH keys. These SSH keys are distributed with Ansible. It works but is cumbersome and lacks a single pane of glass.

What we would like to have: a list of servers, a list of users, user roles (via sudoers), and a WebUI to manage all of it. And I don't know of any tool to do this. Of course, there are tools like Teleport or SSH CA instead of SSH keys, but they are for larger organizations and are overkill for my company.
traumivator
·2 ปีที่แล้ว·discuss
My company evaluated both Yubikey and Nitrokey and decided to use Yubikey. While they are both in the same price range, Yubikeys are more durable, whereas the Nitrokey plastic cover began to show cracks. Because our employees wear them on their keychains, that would be a problem, while the Yubikeys were fine.

Also, the cheap Nitrokey FIDO2 key doesn't support ED25519 for SSH keys, only RSA and ECDSA, and even though they are open source, the promised support for ED25519 is still not delivered even after 4 years, so I doubt it will ever come: https://github.com/Nitrokey/nitrokey-fido2-firmware/issues/3...

Ultimately, while I like the idea of open-source, for a company use case, we had to go with Yubikey.