For our users we use Kerberos authentication with AD, rather than SSH keys. Once...

gnufx · on Sept 26, 2020

Right, but people seem remarkably reluctant to use the facility which is just there, and it might even be proscribed for systems that aren't "joined to AD", for unexplained reasons. If ephemeral certificates are also used, your ticket can presumably cover getting them too. It's probably not an option for systems with off-site users, though, since sites won't expose their AD systems or put something in front of them.

tha0x5 · on Sept 27, 2020

Kerberos (sssd-ad) backed authentication for SSH is really the best.

You no longer have to deal with SSH keys whatsoever and all the management that goes with them: When users get their access revoked on AD, they get their SSH access revoked as well. You can have group based authorization (only those in the SRE group can access this class of QA endpoints), so when dozens of people a month are being added and removed from the various groups, you don't have to worry about giving them keys/access. They can SSO from their laptops, so all they have to do is open PuTTY and they can connect away without even typing their usernames and passwords. etc.

Lots of these new generation "devops" and "full-stack developers" haven't had the experience of AD and Kerberos, so they spend all this time, blog posts, money, etc. to reinvent the wheel.

Sad really.

solatic · on Sept 27, 2020

That's great until you work for a company that bought Macs for everyone for their design and upper-management likes to keep it that way.

_abox · on Sept 27, 2020

You can do it on Mac. I wouldn't recommend binding Macs anymore since Apple broke filevault for AD accounts in high Sierra (AD accounts don't get the secure token by default which is needed to unlock the drive)

But since Catalina there's now a great Kerberos SSO plugin that you can push through MDM. Previously this was known as enterprise connect but only available from Apple professional services.