<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
		<title>Security on Jason Stangroome</title>
		<link>/tags/security/</link>
		<description>Recent content in Security on Jason Stangroome</description>
		<generator>Hugo</generator>
		<language>en</language>
		
		
		
		
			<lastBuildDate>Fri, 10 Oct 2025 00:00:00 +0000</lastBuildDate>
		
			<atom:link href="/tags/security/index.xml" rel="self" type="application/rss+xml" />
			<item>
				<title>1Password and SSH_ASKPASS</title>
				<link>/2025/10/10/1password-ssh_askpass/</link>
				<pubDate>Fri, 10 Oct 2025 00:00:00 +0000</pubDate>
				<guid>/2025/10/10/1password-ssh_askpass/</guid>
				<description>&lt;p&gt;1Password has an excellent solution for managing SSH keys securely using their&#xA;&lt;a href=&#34;https://developer.1password.com/docs/ssh/agent/&#34;&gt;1Password SSH Agent&lt;/a&gt;.&#xA;However I interact with a few devices that either require keyboard-interactive&#xA;multi-factor authentication (MFA) or force the use of a password instead of&#xA;accepting keys or certificates.&lt;/p&gt;&#xA;&lt;p&gt;Thankfully, through the use of the&#xA;&lt;a href=&#34;https://developer.1password.com/docs/cli&#34;&gt;1Password CLI&lt;/a&gt;,&#xA;the &lt;a href=&#34;https://man.openbsd.org/ssh#SSH_ASKPASS&#34;&gt;&lt;code&gt;SSH_ASKPASS&lt;/code&gt;&lt;/a&gt;&#xA;environment variable, and a little shell script, we can use&#xA;1Password to fill in these MFA tokens and passwords too.&lt;/p&gt;&#xA;&lt;p&gt;The script, &lt;code&gt;op_ssh_askpass&lt;/code&gt; further below, is expected to be used as follows:&lt;/p&gt;</description>
			</item>
			<item>
				<title>Understanding automated certificate options</title>
				<link>/2025/05/16/understanding-automated-certificate-options/</link>
				<pubDate>Fri, 16 May 2025 00:00:00 +0000</pubDate>
				<guid>/2025/05/16/understanding-automated-certificate-options/</guid>
				<description>&lt;p&gt;In April 2025, &lt;a href=&#34;https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/bvWh5RN6tYI&#34;&gt;CA/B Forum ballot SC-081v3&lt;/a&gt;&#xA;was &lt;a href=&#34;https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/9768xgUUfhQ&#34;&gt;passed&lt;/a&gt;&#xA;to reduce the maximum certificate validity to 47 days by the 15th of March 2029.&#xA;The first step will be to reduce the maximum validity period to 200 days by the 15th of March 2026.&lt;/p&gt;&#xA;&lt;p&gt;There has been &lt;a href=&#34;https://github.com/cabforum/servercert/pull/553&#34;&gt;a great deal of debate&lt;/a&gt; on whether this will be useful or, in some environments, even feasible.&lt;/p&gt;&#xA;&lt;p&gt;Regardless of our personal opinions on the matter, I think its worth clarifying the options we have today for certificate issuance and renewal. I believe that if you&amp;rsquo;re&#xA;aware of all the options, some scenarios where 47-day certificates seemed daunting will become far more achievable.&lt;/p&gt;</description>
			</item>
	</channel>
</rss>
