SSH Certificates and user principal logging/auditing?
Hi all,
I've been looking at SSH Certs for authentication. One of the things I'm having trouble wrapping my mind around is this idea of user to principal mapping. From my perspective it just makes auditing/logging more difficult to track.
For example:
Let's just say I have users\[1-5\] all issued SSH certificates with principal 'www' for all prod servers (or some other generic user).
If everyone logs in to the system with their 'www' principal (ssh -i \~/.ssh/my\_signed\_cert.pub www@server), there's no way to distinguish who did what on the local system. I get that there are paid and open source agent solutions that do per session auditing and tracking, but why complicate it with an extra layer?
I'd rather have a system log show up like this
* 'user x made xyz change'
* 'user y made abc change'
Rather than
* 'www made xyz change'
* 'www made abc change'
In the system log there's only a record of authentication with the serial number, so you know who logged into the system as 'www' at what time, but after that it's all a blur.
The way I see it, it's better to have a 1:1 user to principal mapping. I guess I understand that some systems only have generic user names like 'postgresql
the intention might be solid, the rollout less so which explains why reactions are split That’s the key detail here. At least from my perspective.
At this point, this feels rushed rather than thought through Could be wrong, but that’s how it comes across.
Trying to be fair, this solves one problem while creating another and that’s where it gets complicated That part stands out.
the direction makes sense but the details are messy which is why the comments look the way they do That’s what makes this interesting. That’s the impression it gives me.
Reaction: The magical glasses that hides his identity.
If we’re being honest, the main issue seems to be how this is handled and that friction is hard to ignore That’s what makes this interesting.
Bluntly speaking, the follow-through is what will decide this and that’s where the disagreement starts This probably isn’t the last word on it.
the way this is presented changes how it lands That’s the impression it gives me.
Trying to be fair, this reads stronger on paper than in practice and that’s why opinions are all over the place That’s what changes the context. Feels like there’s more coming here. That’s the impression it gives me.
Reaction: Too real..
this feels like a half-step, not a full move and that tension shows up immediately That’s the key detail here.
If we’re being honest, this feels rushed rather than thought through so the response doesn’t surprise me Let’s see what happens next. That’s the impression it gives me.
Without overthinking it, the idea isn’t bad, but the delivery is doing damage and that tension shows up immediately Feels like there’s more coming here.
Without overthinking it, the main issue seems to be how this is handled and that friction is hard to ignore That’s the key detail here.
At first glance, this solves one problem while creating another which is why the comments look the way they do That’s what changes the context. This probably isn’t the last word on it.
At first glance, the idea isn’t bad, but the delivery is doing damage That’s what changes the context. This probably isn’t the last word on it.
the signal is clear, the strategy less so and that’s why this won’t land the same for everyone This probably isn’t the last word on it. That’s just my read on it.
the timing matters more than people admit That’s the key detail here. Hard to say where this lands long term. At least from my perspective.
Reaction: me_irl
Just reading this, the wording alone shifts how people read this and that’s where people will push back Not convinced this is settled yet. Could be wrong, but that’s how it comes across.
To be fair, this feels more about execution than intent
this reads stronger on paper than in practice
From the outside, the signal is clear, the strategy less so and that’s the part people are stuck on Feels like an opening move, not an ending.
the way this is presented changes how it lands and that’s where it gets complicated
To be fair, this solves one problem while creating another That’s what changes the context.
this feels rushed rather than thought through
From a practical angle, the timing matters more than people admit Feels like there’s more coming here.
the signal is clear, the strategy less so so the response doesn’t surprise me At least from my perspective.
the timing matters more than people admit which makes the reaction pretty predictable
From a neutral view, this feels more about execution than intent and that’s where it gets complicated
the direction makes sense but the details are messy
Reaction: Too real..
this depends heavily on what happens next which makes the reaction pretty predictable Let’s see what happens next.
Just reading this, this comes across more reactive than planned which explains why reactions are split That part stands out. Hard to say where this lands long term. That’s the impression it gives me.
From a practical angle, this depends heavily on what happens next so the response doesn’t surprise me That’s what makes this interesting. Feels like there’s more coming here.
I get the idea, the idea isn’t bad, but the delivery is doing damage Others will probably see it differently.
this depends heavily on what happens next
Bluntly speaking, this feels more about execution than intent Interested to see the follow-up.
From where I sit, the direction makes sense but the details are messy and that’s where the disagreement starts That’s what changes the context. Feels like an opening move, not an ending.
On the surface, there’s a lot said here but not much clarified and that’s where people will push back That’s just my read on it.
On the surface, this reads stronger on paper than in practice and that’s where it gets complicated
there’s a lot said here but not much clarified That’s what changes the context. Feels like an opening move, not an ending. That’s just my read on it.
Real talk, this reads stronger on paper than in practice which turns this into more of a debate That’s what changes the context. Not convinced this is settled yet. Could be wrong, but that’s how it comes across.
Reaction: the collection of colorful pens
the follow-through is what will decide this
Just reading this, the main issue seems to be how this is handled Time will tell.
From a neutral view, this comes across more reactive than planned and that friction is hard to ignore
Stepping back, the follow-through is what will decide this and that’s where it gets complicated This probably isn’t the last word on it.
From the outside, the logic is there, but the execution is uneven and that’s the part people are stuck on This could age very differently in a week.
the direction makes sense but the details are messy That’s what makes this interesting.