OpenSSH key signing service?
Stephen Harris
lists at spuddy.org
Mon Dec 25 19:23:32 AEDT 2017
On Sun, Dec 24, 2017 at 11:36:09PM -0800, Peter Moody wrote:
> finally (and it seems like no one talks about this), ssh certs work
> for hosts as well. that means no more "host key doesn't match"
> warnings, ever.
This feature becomes interesting with dynamic scaling infrastructure
(e.g. AWS instances); new hosts can be deployed and the host key automagically
accepted. It _does_ require some interesting processes at server build
time to ensure the signed cert is placed on the host and no one else could
request one :-)
There's also renewal to be taken into account.
In general, key management is going to become a large audit talking
point in the coming years (especially in the financial industry).
Signed keys is a good option for human access to servers (but IMHO
terrible for functional/service accounts because you can't put on your
normal restrictions).
I wish more clients would understand them, though :-(
--
rgds
Stephen
More information about the openssh-unix-dev
mailing list