generated from coulomb/repo-seed
tegwick
1865e0744e
Add credential routing, actor patterns, security map, OpenBao SSH checklist, and policy-gated signing design. Update registry and SCOPE; record INTENT↔SCOPE reassessment (C3 completeness).
130 lines
4.5 KiB
Markdown
130 lines
4.5 KiB
Markdown
---
|
|
id: capability.security.ssh-certificate-issuance
|
|
name: SSH Certificate Issuance
|
|
summary: Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors through a stable cert_command CLI interface; steward operational access routing across NetKingdom security lanes.
|
|
owner: ops-warden
|
|
status: draft
|
|
domain: helix_forge
|
|
tags:
|
|
- ssh
|
|
- certificate
|
|
- ca
|
|
- ops-warden
|
|
- openbao
|
|
- security
|
|
|
|
maturity:
|
|
discovery:
|
|
current: D4
|
|
target: D5
|
|
confidence: medium
|
|
rationale: >
|
|
SCOPE, AccessManagementDirective alignment, config runbooks, and cert_command
|
|
contract are documented; production OpenBao integration is documented but
|
|
engine deployment lives in railiance-platform.
|
|
availability:
|
|
current: A3
|
|
target: A5
|
|
confidence: medium
|
|
rationale: >
|
|
Installable `warden` CLI and `ops-ssh-wrapper` entry points; ops-bridge and
|
|
other callers integrate via cert_command without backend-specific branching.
|
|
|
|
external_evidence:
|
|
completeness:
|
|
level: C3
|
|
name: Functional Core
|
|
confidence: medium
|
|
basis: scope_vs_intent_and_consumer_expectations
|
|
satisfied_expectations:
|
|
- local and OpenBao/Vault-compatible signing backends
|
|
- TTL policy enforcement per actor type
|
|
- principals inventory and cert-side scorecard
|
|
- signatures audit log and stale-cert cleanup
|
|
- cert_command stdout contract for ops-bridge
|
|
broken_expectations:
|
|
- host-side principal deployment not owned here
|
|
- OpenBao SSH engine mount not deployed from this repo
|
|
out_of_scope_expectations:
|
|
- long-lived API key custody
|
|
- tunnel lifecycle management
|
|
- Vault/OpenBao cluster operations
|
|
reliability:
|
|
level: R2
|
|
name: Tolerable
|
|
confidence: medium
|
|
basis: consumer_quality_signals
|
|
known_reliability_risks:
|
|
- production signing depends on OpenBao availability and token policy
|
|
- local backend requires protected CA key handling by operators
|
|
|
|
discovery:
|
|
intent: >
|
|
Give the ops fleet short-lived SSH credentials for humans, agents, and
|
|
automations without static keys, through a single cert_command surface that
|
|
callers can rely on regardless of CA backend; route non-SSH credential needs
|
|
to the correct NetKingdom subsystems (OpenBao, flex-auth, key-cape).
|
|
includes:
|
|
- certificate signing for adm, agt, and atm actors
|
|
- actor principals inventory and TTL policy
|
|
- cert_command interface (`warden sign`)
|
|
- cert-side compliance scorecard and signatures log
|
|
- ops-ssh-wrapper for automatic cert acquisition
|
|
- NetKingdom credential routing and alignment documentation
|
|
excludes:
|
|
- tunnel lifecycle
|
|
- host /etc/ssh/auth_principals deployment
|
|
- OpenBao or Vault cluster setup
|
|
- long-lived secret storage
|
|
assumptions:
|
|
- callers supply actor public keys; humans self-issue admin keys
|
|
- production platform uses OpenBao with Vault-compatible SSH engine API
|
|
use_cases:
|
|
- ops-bridge tunnel cert_command
|
|
- Inter-Hub bootstrap short-lived agent access
|
|
research_memos:
|
|
- ops-warden/SCOPE.md
|
|
- ops-warden/wiki/CertCommandInterface.md
|
|
- ops-warden/wiki/OpsWardenConfig.md
|
|
|
|
availability:
|
|
current_level: A3
|
|
target_level: A5
|
|
current_artifacts:
|
|
- ops-warden/src/warden/
|
|
- ops-warden/wiki/CertCommandInterface.md
|
|
- ops-warden/wiki/OpsWardenConfig.md
|
|
target_artifacts:
|
|
- packaged ops-warden release with documented OpenBao role bootstrap
|
|
consumption_modes:
|
|
- CLI
|
|
- cert_command subprocess
|
|
|
|
relations:
|
|
depends_on: []
|
|
supports: []
|
|
related_to: []
|
|
|
|
consumer_guidance:
|
|
recommended_for:
|
|
- issuing short-lived SSH certs for ops-bridge tunnels
|
|
- agent or automation access with TTL-bound principals
|
|
- checking cert-side compliance before rotation windows
|
|
- orienting dev workers on which NetKingdom subsystem owns each credential type
|
|
not_recommended_for:
|
|
- storing OpenRouter or Inter-Hub API keys
|
|
- replacing OpenBao deployment or host SSH hardening playbooks
|
|
- static-key-only legacy access (use ops-bridge static key mode instead)
|
|
known_limitations:
|
|
- "VaultCA backend config key remains backend: vault for API compatibility"
|
|
- host-side scorecard checks live in railiance-infra
|
|
---
|
|
|
|
# SSH Certificate Issuance
|
|
|
|
ops-warden is the custodian-domain SSH CA tool. It signs short-lived certificates,
|
|
maintains the actor inventory, and exposes `warden sign` as the cert_command
|
|
contract for ops-bridge and other callers.
|
|
|
|
Production environments point the vault-compatible backend at OpenBao; labs use
|
|
the local ssh-keygen CA backend without platform dependencies. |