I got a message that there is some potential for a misunderstanding. I'm neither working for facebook nor am I the author of the article! I just worked at projects where we had our own SSH CA for projects around the world and wanted to share this great article.
-
-
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
So, do you still use root to login to system buy you have secured this behaiuovur? Do you also use an HA for the CA server? And for centralized the log don't think to ELK stack?
-
3 logging: We did not expose them to Loki or any centralized logging but the security and audit logs were also stored on a 2nd encrypted device. 2 people were required to decrypt these logs and it was only allowed if the ITSecO had strong indicators for a security violation.
- Još 1 odgovor
Novi razgovor -
-
-
Signmykey is an open source project implementing this concept: https://signmykey.io/ . Also, no need to revoke certificates when the signed SSH key expired within few hours ;-)
-
That's also interesting and looks even a bit more convenient in some cases. Nice!
- Još 5 drugih odgovora
Novi razgovor -
-
-
How do you distribute RevokedKeys or do you patch OCSP or CRL download support into OpenSSH?
-
Our approach was actually simpler than that. We would just have done this via ansible. Your ideas sound very interesting, too. :)
- Još 2 druga odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.