cmp0st
@cmp0st.bsky.social
Open source software developer interested in small scale infrastructure and application security.
20 cores and 256gb of ecc ram for 300$ 🥵
January 3, 2025 at 3:38 AM
20 cores and 256gb of ecc ram for 300$ 🥵
Ah yes, so my goal is to harden a developer workstation so I guess I should have asked about the application default credentials instead 🤷. I've seen work around moving service account creds off disk so figured that might be easier to achieve
December 22, 2024 at 11:38 PM
Ah yes, so my goal is to harden a developer workstation so I guess I should have asked about the application default credentials instead 🤷. I've seen work around moving service account creds off disk so figured that might be easier to achieve
If this is the only factor for auth that is fine by me. So its not really about MFA.
December 22, 2024 at 11:09 PM
If this is the only factor for auth that is fine by me. So its not really about MFA.
Kind of. I want hardware bound credentials so that my cloud credentials can't be stolen and used elsewhere. I also want to authorize access to those credentials using something like touching my Yubikey. Something that a background process on my machine can't do.
December 22, 2024 at 11:08 PM
Kind of. I want hardware bound credentials so that my cloud credentials can't be stolen and used elsewhere. I also want to authorize access to those credentials using something like touching my Yubikey. Something that a background process on my machine can't do.
Oh interesting does that simplify the set up in some ways? Maybe I should go read the SPIFFE docs on that. How is authorization to the TPM controlled? I guess I like the idea of authorizing by touching a security key so that some background process can't access those creds
December 22, 2024 at 10:52 PM
Oh interesting does that simplify the set up in some ways? Maybe I should go read the SPIFFE docs on that. How is authorization to the TPM controlled? I guess I like the idea of authorizing by touching a security key so that some background process can't access those creds
Yeah, the FIDO authenticator support for SSH keys is so easy to set up (e.g cmp0st.dev/posts/yubike...) it would be awesome if cloud providers made it just as easy to keep credentials off disk
Yubikey for Git | cmp0st
Calm backwater of the internet with inconsequential thoughts
cmp0st.dev
December 22, 2024 at 10:44 PM
Yeah, the FIDO authenticator support for SSH keys is so easy to set up (e.g cmp0st.dev/posts/yubike...) it would be awesome if cloud providers made it just as easy to keep credentials off disk
I'm thinking more hardware security key like Yubikey, Nitrokey etc
December 22, 2024 at 10:42 PM
I'm thinking more hardware security key like Yubikey, Nitrokey etc
The proof-of-concept for TPM based ones here github.com/salrashid123... is really cool. Would be awesome if these were supported out of the box by `gcloud` and less of a pain to set up
GitHub - salrashid123/cloud_auth_tpm: Trusted Platform Module based python auth library for cloud providers
Trusted Platform Module based python auth library for cloud providers - salrashid123/cloud_auth_tpm
github.com
December 22, 2024 at 10:39 PM
The proof-of-concept for TPM based ones here github.com/salrashid123... is really cool. Would be awesome if these were supported out of the box by `gcloud` and less of a pain to set up
...regardless of whether or not it's broken 😁
December 22, 2024 at 6:11 PM
...regardless of whether or not it's broken 😁
Yeah can confirm but don't have a screen shot. In a sad twist of events a pentester even reported this to us 🙃 I forget which scanner they used though
December 17, 2024 at 12:19 AM
Yeah can confirm but don't have a screen shot. In a sad twist of events a pentester even reported this to us 🙃 I forget which scanner they used though
Thanks so much for all your hard work ❤️❤️
December 16, 2024 at 12:45 AM
Thanks so much for all your hard work ❤️❤️