OpenSSH key signing service?

Stephen Harris lists at
Mon Dec 25 19:23:32 AEDT 2017

On Sun, Dec 24, 2017 at 11:36:09PM -0800, Peter Moody wrote:
> finally (and it seems like no one talks about this), ssh certs work
> for hosts as well. that means no more "host key doesn't match"
> warnings, ever.

This feature becomes interesting with dynamic scaling infrastructure
(e.g. AWS instances); new hosts can be deployed and the host key automagically
accepted.  It _does_ require some interesting processes at server build
time to ensure the signed cert is placed on the host and no one else could
request one :-)

There's also renewal to be taken into account.

In general, key management is going to become a large audit talking
point in the coming years (especially in the financial industry).
Signed keys is a good option for human access to servers (but IMHO
terrible for functional/service accounts because you can't put on your
normal restrictions).

I wish more clients would understand them, though :-(



More information about the openssh-unix-dev mailing list