This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-short-lived-ssh-certificates.md

2.4 KiB

Pattern: Short-Lived SSH Certificates

Status: draft Readiness target: RL3 production Primary owners: ops-warden, ops-bridge, NetKingdom

Problem

Long-lived SSH keys make operator and agent access hard to revoke, audit, and scope.

Context

Use this pattern for administrative shell access, tunnel access, automation access, and agent access to infrastructure where SSH remains necessary.

Forces

  • Operators need reliable emergency and maintenance access.
  • Access must be time-boxed, attributable, and least privilege.
  • Agents need identities separate from their human sponsors.
  • SSH remains useful but should not bypass platform authorization.

Solution

Issue short-lived SSH certificates from a controlled authority after identity and policy checks. Consumers use certificates through ops-bridge or equivalent access paths that record actor, purpose, target, TTL, and correlation ids.

Implementation Sketch

  1. Authenticate the human, automation, or agent identity.
  2. Authorize target, role, command class, and TTL.
  3. Have ops-warden issue an SSH certificate with principal and expiry.
  4. Route access through ops-bridge where practical for audit capture.
  5. Revoke or let certificates expire quickly after use.

Failure Modes

Failure Mitigation
Static SSH key fallback persists inventory and remove unmanaged keys
Certificates have broad principals bind principals to role and target class
Agent access borrows human identity issue explicit agent certificates
Audit path bypassed restrict direct network/admin paths
  • Privileged access management.
  • Agent access control.
  • Incident response and recovery.
  • Observability, detection, and audit.

Maturity

Draft. Pattern ownership is clear, but implementation details live in the ops repos and need verification fixtures.

Verification

  • Certificates expire quickly and cannot be renewed silently.
  • Certificate principal, target, actor, and reason are logged.
  • Static key exceptions are inventoried and reviewed.
  • Agent identities are distinguishable from human identities.

Research Basis

Seeded by privileged access management, time-boxed privilege elevation, human/agent identity split, and break-glass access patterns.

References

  • Initial exploration: Authorization and access control.
  • NetKingdom ownership map: ops-warden and ops-bridge.