-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Team / Enterprise noports #293
Comments
The primary difference in my mind between the individual (home, one-person company) and enterprise use case is
I believe the solution outlined by @cconstab works in principle
There are lots of other things to do outside of the changes to sshnpd and sshnp
... and much more, but as I said I believe this works in principle |
Capturing thoughts from arch call on SSH key management.... A few approaches we've seen:
|
Next steps: iterate through spikes and reviews until we get a design shape we are happy with. Time-boxing to 5SP for this sprint. |
No progress during PR72; moving to PR73 |
|
Tasks
Tasks
Initial problem statement from cconstab
Is your feature request related to a problem? Please describe.
Currently sshnpd only specifies as single manager atSign, which is fine for the original use case but as we head to teams and enterprises using sshnp we have to allow/control multiple atsigns to get access.
Describe the solution you'd like
The existing code in trunk now allows
-u
which allows X number of accounts to login on demand from a manager atSign but to specifiy which atSigns I would like to have two options.-m
option-m @ atSign
option. This would allow the atSign to respond with true/false to allowing the requesting atSign access to the sshd on the host running sshnpd. Being able to specify X number of atSigns would create resiliency and hierarchy (I think).This approach does work right now and if the sshnpd is running as a username with no shell provides access to any username on the host to log in, which is neat but we need more...
Example logging in as
testone
on the deviceiot_device01
and not the username that is running the sshnpdTo allow access to a machine using this method you would just need to ask for the atSign of the user, the username and the public key. This seems very much like an enterprise ready or cloud ready solution.
Describe alternatives you've considered
None but open to any better ideas.. Lets discuss at an arch call
The text was updated successfully, but these errors were encountered: