This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-short-lived-ssh-certificates.md

77 lines
2.4 KiB
Markdown

# Pattern: Short-Lived SSH Certificates
Status: draft
Readiness target: RL3 production
Primary owners: ops-warden, ops-bridge, NetKingdom
## Problem
Long-lived SSH keys make operator and agent access hard to revoke,
audit, and scope.
## Context
Use this pattern for administrative shell access, tunnel access,
automation access, and agent access to infrastructure where SSH remains
necessary.
## Forces
- Operators need reliable emergency and maintenance access.
- Access must be time-boxed, attributable, and least privilege.
- Agents need identities separate from their human sponsors.
- SSH remains useful but should not bypass platform authorization.
## Solution
Issue short-lived SSH certificates from a controlled authority after
identity and policy checks. Consumers use certificates through
ops-bridge or equivalent access paths that record actor, purpose,
target, TTL, and correlation ids.
## Implementation Sketch
1. Authenticate the human, automation, or agent identity.
2. Authorize target, role, command class, and TTL.
3. Have ops-warden issue an SSH certificate with principal and expiry.
4. Route access through ops-bridge where practical for audit capture.
5. Revoke or let certificates expire quickly after use.
## Failure Modes
| Failure | Mitigation |
| --- | --- |
| Static SSH key fallback persists | inventory and remove unmanaged keys |
| Certificates have broad principals | bind principals to role and target class |
| Agent access borrows human identity | issue explicit agent certificates |
| Audit path bypassed | restrict direct network/admin paths |
## Related Capabilities
- Privileged access management.
- Agent access control.
- Incident response and recovery.
- Observability, detection, and audit.
## Maturity
Draft. Pattern ownership is clear, but implementation details live in
the ops repos and need verification fixtures.
## Verification
- Certificates expire quickly and cannot be renewed silently.
- Certificate principal, target, actor, and reason are logged.
- Static key exceptions are inventoried and reviewed.
- Agent identities are distinguishable from human identities.
## Research Basis
Seeded by privileged access management, time-boxed privilege elevation,
human/agent identity split, and break-glass access patterns.
## References
- Initial exploration: Authorization and access control.
- NetKingdom ownership map: ops-warden and ops-bridge.