2.4 KiB
Pattern: Short-Lived SSH Certificates
Status: draft Readiness target: RL3 production Primary owners: ops-warden, ops-bridge, NetKingdom
Problem
Long-lived SSH keys make operator and agent access hard to revoke, audit, and scope.
Context
Use this pattern for administrative shell access, tunnel access, automation access, and agent access to infrastructure where SSH remains necessary.
Forces
- Operators need reliable emergency and maintenance access.
- Access must be time-boxed, attributable, and least privilege.
- Agents need identities separate from their human sponsors.
- SSH remains useful but should not bypass platform authorization.
Solution
Issue short-lived SSH certificates from a controlled authority after identity and policy checks. Consumers use certificates through ops-bridge or equivalent access paths that record actor, purpose, target, TTL, and correlation ids.
Implementation Sketch
- Authenticate the human, automation, or agent identity.
- Authorize target, role, command class, and TTL.
- Have ops-warden issue an SSH certificate with principal and expiry.
- Route access through ops-bridge where practical for audit capture.
- Revoke or let certificates expire quickly after use.
Failure Modes
| Failure | Mitigation |
|---|---|
| Static SSH key fallback persists | inventory and remove unmanaged keys |
| Certificates have broad principals | bind principals to role and target class |
| Agent access borrows human identity | issue explicit agent certificates |
| Audit path bypassed | restrict direct network/admin paths |
Related Capabilities
- Privileged access management.
- Agent access control.
- Incident response and recovery.
- Observability, detection, and audit.
Maturity
Draft. Pattern ownership is clear, but implementation details live in the ops repos and need verification fixtures.
Verification
- Certificates expire quickly and cannot be renewed silently.
- Certificate principal, target, actor, and reason are logged.
- Static key exceptions are inventoried and reviewed.
- Agent identities are distinguishable from human identities.
Research Basis
Seeded by privileged access management, time-boxed privilege elevation, human/agent identity split, and break-glass access patterns.
References
- Initial exploration: Authorization and access control.
- NetKingdom ownership map: ops-warden and ops-bridge.