Very commonly within the Reliability Engineering community, we talk about Service Level Objectives (SLO’s), but rarely do we talk about the underpinning indicators that tell us whether a system is healthy. In this talk, we talk about systems that all around us, and how to pick out some indicators. This is my presentation from SLOConf 2022.

With the movement away from passwords towards more cryptographically secure methods, SSH public/private key pairs have become more prevalent amongst technologists to access remote systems. When hardening a new Linux or Unix server, one of the first tasks of the administrator should be to disable password authentication, thereby reducing the attack vector brute forcing logins against the system. However, while the use of SSH keys over password authentication reduces the effectiveness of brute force attacks, by itself it is still only "one factor authentication"; it replaces something you know (password) for something you have (the keypair). Additionally, just as with a password, there is the same risk of the keypair being leaked or stolen. With the usage of a signed SSH Certificate, a known and trusted source (i.e., a Certificate Authority) can cryptographically "sign" and scope an SSH key, restricting access a specific environment as a pre-determined user for a short period of time. This paper will identify how the use of a SSH Certificates increases the auditability of users in a shared/multi-tenant environment, reduces the footholds for lateral movement by a bad actor, and decreases the blast radius when a key pair is leaked.