generated from coulomb/repo-seed
77 lines
2.4 KiB
Markdown
77 lines
2.4 KiB
Markdown
# Pattern: Short-Lived SSH Certificates
|
|
|
|
Status: draft
|
|
Readiness target: RL3 production
|
|
Primary owners: ops-warden, ops-bridge, NetKingdom
|
|
|
|
## Problem
|
|
|
|
Long-lived SSH keys make operator and agent access hard to revoke,
|
|
audit, and scope.
|
|
|
|
## Context
|
|
|
|
Use this pattern for administrative shell access, tunnel access,
|
|
automation access, and agent access to infrastructure where SSH remains
|
|
necessary.
|
|
|
|
## Forces
|
|
|
|
- Operators need reliable emergency and maintenance access.
|
|
- Access must be time-boxed, attributable, and least privilege.
|
|
- Agents need identities separate from their human sponsors.
|
|
- SSH remains useful but should not bypass platform authorization.
|
|
|
|
## Solution
|
|
|
|
Issue short-lived SSH certificates from a controlled authority after
|
|
identity and policy checks. Consumers use certificates through
|
|
ops-bridge or equivalent access paths that record actor, purpose,
|
|
target, TTL, and correlation ids.
|
|
|
|
## Implementation Sketch
|
|
|
|
1. Authenticate the human, automation, or agent identity.
|
|
2. Authorize target, role, command class, and TTL.
|
|
3. Have ops-warden issue an SSH certificate with principal and expiry.
|
|
4. Route access through ops-bridge where practical for audit capture.
|
|
5. Revoke or let certificates expire quickly after use.
|
|
|
|
## Failure Modes
|
|
|
|
| Failure | Mitigation |
|
|
| --- | --- |
|
|
| Static SSH key fallback persists | inventory and remove unmanaged keys |
|
|
| Certificates have broad principals | bind principals to role and target class |
|
|
| Agent access borrows human identity | issue explicit agent certificates |
|
|
| Audit path bypassed | restrict direct network/admin paths |
|
|
|
|
## Related Capabilities
|
|
|
|
- Privileged access management.
|
|
- Agent access control.
|
|
- Incident response and recovery.
|
|
- Observability, detection, and audit.
|
|
|
|
## Maturity
|
|
|
|
Draft. Pattern ownership is clear, but implementation details live in
|
|
the ops repos and need verification fixtures.
|
|
|
|
## Verification
|
|
|
|
- Certificates expire quickly and cannot be renewed silently.
|
|
- Certificate principal, target, actor, and reason are logged.
|
|
- Static key exceptions are inventoried and reviewed.
|
|
- Agent identities are distinguishable from human identities.
|
|
|
|
## Research Basis
|
|
|
|
Seeded by privileged access management, time-boxed privilege elevation,
|
|
human/agent identity split, and break-glass access patterns.
|
|
|
|
## References
|
|
|
|
- Initial exploration: Authorization and access control.
|
|
- NetKingdom ownership map: ops-warden and ops-bridge.
|