Interesting that you can use this for two-man rule...especially since this api is real-time. I'm having trouble thinking of scenario where I would use this feature at my company, but cool nonetheless
You just have to think of it as a sign-off rather than an approval, and you can quickly come up with many use cases for it.
For example, imagine that you are responsible for rolling the build this week, and you need to get a sign off from an assigned person on each sister team, confirming that they tested their feature area before you push the trigger and roll the build. You can either email and try to contact each person individually, but the cleanest way to solve this issue would be to create a multi-person approval, where you can track the status of a sign off for each sister team in real time. Approval serves as an affirmation in this scenario.
Interesting thanks! How do you get your engineer's public keys uploaded to the ldap server? Do they generate keys themselves and upload to some portal?
Also what makes you distrust teleport -- is it just third party code? I think you can (or have to) self host it but maybe that's not true for enterprise.
There's a neat Python application, ssh_ldap_pubkey, that not only retrieves the user's pubkeys (e.g. can be called by SSH) but also allows users to manipulate them (add/delete). So end users generate the keys and push them to the LDAP cluster themselves. The backend servers then validate SSH keys against the LDAP servers instead of locally, so it's a perfectly logical extension of existing LDAP functionality.
It's not specifically Teleport I distrust, it's most cloud-based software due to its often-woeful attention to security. Also, if we suffer a major internet outage and my systems lose connection, it shouldn't stop me SSH'ing into them. So long as my LDAP machines, on the same LAN, are up, I can get in.
I also dislike paying for something we could build ourselves for little-to-moderate effort :)
