ssh certificate usage

Hans postbus111 at
Wed Apr 28 17:35:12 EST 2010

>> Is this correct or did I miss something ?
> That is it in a nutshell. You should specify a validity period for the
> certificates in step #3. Since our revocation implementation is weak at
> the moment, it is best to use short-lived certificates that are refreshed
> frequently
Yes, I kept the example as simple as possiible without any of the
other possible restrictions.

> (and hopefully through an easy process for the user).
that will be a challenge...

But the advantage for using certificates is that you can add
restrictions to them and
even better you don't have to distribute the public keys to the
correct system for each user.
Only the ca puiblic key should be once put in the TrustedUserCAKeys file

> You can set AuthorizedKeysFile to /dev/null, so sshd will never find
> any regular keys there. This can be done on a per-user/group/address
> basis using the Match keyword.

That is the one I missed, otherwise users could connect once using the
put there plain public key in the .ssh/authorized_keys2 and remove
their cert pub key and make connections without the restrictions.

So it looks mandatory to me if you use TrustedUserCAKeys to disable
also AuthorizedKeysFile
for the selected users or groups.

> As you are probably aware, the certificate support is very new and I'd
> love to hear any feedback or criticism you may have.

Until so far I like it :)
Have to check still the possible restrictions and how the ssh-agent is
handling the cert pub keys


More information about the openssh-unix-dev mailing list