Stacksync - Integration Cloud’s Post

A classic PKI joke says: no matter when you issue a certificate, somehow it will always expire on a Friday night or over the weekend. So this year, for April 1st, I decided to treat Murphy’s Law as a design requirement. Together with Ori Furst (CSA, Microsoft), we came up with a simple idea: build a custom policy module for Microsoft AD CS that prevents certificates from expiring at inconvenient times. Originally the idea was to avoid weekend expirations. But I took it a bit further. The updated module now adjusts certificate validity so that certificates expire only on Monday or Tuesday. The logic is simple: • Let the CA calculate the certificate validity as usual • Inspect the final expiration date (NotAfter) during policy processing • If the expiration falls on any other day — shorten the validity slightly so the certificate expires on Monday or Tuesday Of course this is mostly a fun PKI exercise, but it also highlights something real: in many organizations, certificate expiration is not just a technical detail — it’s an operational risk. When certificates expire at the worst possible time, the result can be outages, emergency troubleshooting, and a lot of unnecessary stress. Sometimes good PKI engineering is not only about cryptography and standards — it’s also about thinking operationally. I published the code here: https://lnkd.in/esWgCQnZ Disclaimer: The code in the repository was generated with the help of AI and is shared mostly as a humorous April Fools exercise. The operational problem itself, however, is very real. Have you ever had a critical certificate expire at the worst possible moment? #PKI #ADCS #Certificates #CyberSecurity #AprilFools

Static SSH keys are a ticking time bomb. We just solved that. Every enterprise I talk to has the same problem: thousands of SSH public keys scattered across hundreds of servers, no audit trail, no expiration, and no easy way to revoke access when someone leaves.         We just shipped SSH Certificate Authority as part of KeyGrid PKI. Instead of managing authorized_keys files on every server, you configure one trust anchor and let identity drive access. Here's what changes:    - Developers/Ops authenticate via SSO and get a short-lived certificate (8 hours by default). No persistent keys on servers, no keys to collect when someone leaves.                                                    - CI/CD pipelines get scoped certificates valid for minutes, not permanent deploy keys sitting in secret stores.  - Every certificate issuance is logged with who requested it, which principals were granted, and when it expires. Your auditors will thank you.                                                                    - Compromised laptop? Revoke the certificate serial instantly via KRL. No need to touch every server.                                                                                                              - New servers trust the CA from boot via a single TrustedUserCAKeys line. No more "are you sure you want to continue connecting?" prompts. The feature is HSM-backed, multi-tenant, and integrates with your existing identity provider out of the box. SSH CA joins our full Modern PKI platform -- ACME, SCEP, EST, CMP, SPIFFE/SVID workload identity, document signing, and InTune . Cloud-hosted or on-premises, your choice. Whether you're issuing TLS certificates, signing documents, authenticating workloads, or now securing SSH access -- it's one platform. SSH was designed in 1995. The way we manage SSH access shouldn't still look like 1995. See article here: https://lnkd.in/ehdyyteT

SSH keys are the credential nobody manages, nobody rotates, and nobody can find when the auditor asks. Every enterprise has a PAM tool. Every enterprise has a password policy. And almost every enterprise has thousands of SSH keys floating around that fit into neither. They were created by a developer who needed access to a server in 2021. Copied to a CI runner nobody owns anymore. Forwarded to a contractor's laptop that left the building last spring. There's no inventory. No rotation. No expiry. And when someone leaves, the offboarding checklist almost never includes "remove their public key from 400 servers." It works — until an auditor asks how you'd revoke access in under an hour. Or until a stale key on a forgotten box becomes the foothold in your next incident report. Here's the uncomfortable part: most teams know this. They just haven't found a fix that doesn't require ripping out how their engineers actually work. That's where SSH certificates come in. Short-lived, signed by a CA, no key files to chase down. Access expires on its own. Offboarding is a config change, not a manhunt. We built KeyGrid ApS to make this practical — for your team, or the customers your team supports. If SSH key sprawl is somewhere on your risk register (or your customers'), DM me. Happy to walk through what a sane SSH posture looks like. https://lnkd.in/d64pQvus

These are just some of the areas of your IT that require 24/7 monitoring: - Server Uptime and Availability - Network Bandwidth and Availability - Storage and Disk Capacity - Domain Name Registration and Renewal - Software and Licensing - User Account Privileges - Security Patching - Data Backups and Restores Learn how we help Colorado businesses stay safe and productive every day: https://lnkd.in/gqRXdfUW

PraisonAI, Authentication Bypass, CVE-2026-34952 (Critical) The vulnerability exists in the A2U (Agent-to-User) event stream server component of PraisonAI, which is separate from the gateway server. The `create_a2u_routes()` function registers multiple endpoints without any authentication checks. An unauthenticated attacker first sends a POST request to /a2u/subscribe, which returns a `subscription_id` and stream URL. Then the attacker accesses `/a2u/events/sub/{subscription_id}` to receive a live Server-Sent Events (SSE) stream containing all agent activity....

PraisonAI, Authentication Bypass, CVE-2026-34952 (Critical) The vulnerability exists in the A2U (Agent-to-User) event stream server component of PraisonAI, which is separate from the gateway server. The `create_a2u_routes()` function registers multiple endpoints without any authentication checks. An unauthenticated attacker first sends a POST request to /a2u/subscribe, which returns a `subscription_id` and stream URL. Then the attacker accesses `/a2u/events/sub/{subscription_id}` to receive a live Server-Sent Events (SSE) stream containing all agent activity....

This Ping Identity's IAM Fundamentals course provides a high-level introduction of LDAP, OIDC, OAuth, SAML 2.0 and Decentralized Identity. Identity-based security ensures that users are who they claim to be, and that they can access the digital resources they need, using the devices that they want to use. These processes and technologies are known as identity and access management (IAM).

Timestamps matter ⏰. AU.L2-3.3.7 expects an authoritative time source so audit records from servers, endpoints and network devices align — crucial for incident response and accountability 🔒. Practical steps you can take today 🛠️: 🕰️ Pick and document an authoritative source (time.nist.gov 🌐 for many SMBs, or a local hardened time server that syncs to NIST). 🖥️ Configure Windows centrally (GPO/Intune + w32tm settings, ensure domain controllers are correct). 🐧 Configure Linux and network gear (chrony/ntpd or systemd-timesyncd; set routers/switches/firewalls to the same NTP server). 🔒 Allow and secure NTP traffic (UDP 123), restrict who can query a local time server and harden that host 📡. ⏱️ Define acceptable skew (1–5 seconds is common) and monitor offsets with scripts or monitoring tools (Nagios, Zabbix, Splunk) 📊. 🧪 Test by generating logs across systems and verifying timestamps correlate; include checks in audits and change control 🔍. Quick SMB example 💡: Jane 👩💻 at a 75-person firm runs a hardened Linux VM as a local time server synced to time.nist.gov 🌐, points AD GPO and Linux hosts to it, configures network devices the same, and alerts if drift > 5 seconds ⚠️🔔. Quarterly log correlation 📅 confirms consistent timestamps and smoother incident investigations 🔎. Small, repeatable technical controls plus a short policy = auditable, reliable timestamps ✅. When did you last validate that your logs from different systems actually line up 🤔? Read more 🔗: https://lnkd.in/e-GcafGC

🚀 Shyntr v1.1 is coming — with LDAP support. Most organizations still rely on LDAP as their source of truth. But modern applications expect: → OAuth2 / OIDC → SAML This creates a fundamental mismatch. 👉 With Shyntr v1.1, you can now authenticate OIDC and SAML clients using LDAP. No migration. No duplication. No rewrite. 🔐 How it works: OIDC Client → Shyntr → LDAP SAML Client → Shyntr → LDAP Shyntr acts as an identity router: Bridges protocols in real-time Translates identity across boundaries Preserves tenant isolation 💡 What this enables: Keep your existing LDAP directory Support modern apps without changing your backend Gradually move toward Zero Trust architecture This is not just LDAP support. This is: 👉 LDAP → OIDC 👉 LDAP → SAML 👉 Identity without protocol lock-in We’re building Shyntr to eliminate the identity tax. 👉 Stop migrating identity 👉 Start routing identity Docs: https://docs.shyntr.com/ #IAM #ZeroTrust #LDAP #OIDC #SAML #OAuth2 #Identity #Security #OpenSource

End Security Sprawl 🚀 Introducing Unified SSO/RBAC for SUSE Rancher Prime, now Generally Available. Fragmented identity and access control slows teams down and increases risk. Our new unified framework delivers: ✅ Single Sign-On with trusted providers (AD, LDAP, SAML, OAuth) ✅ Fine-grained RBAC for secure self-service ✅ Centralized auditing & compliance reporting ✅ Zero-Trust enforcement across hybrid & multi-cloud With one control plane for authentication, authorization and audit, platform teams gain consistent, least-privilege security while developers accelerate onboarding and velocity ✈️ 👉 Learn how to unify Kubernetes governance securely and at scale: https://okt.to/Wda2GY #SUSE #Kubernetes #CloudNative #SUSERancherPrime