OpenSSH key signing service?

John Devitofranceschi jdvf at
Wed Dec 27 14:11:51 AEDT 2017

> On Dec 26, 2017, at 2:09 PM, Stef Bon <stefbon at> wrote:
> 2017-12-25 23:37 GMT+01:00 Peter Moody <mindrot at>:
> I perfectly understand that central management of keys is when
> handling much hosts and many users is a good solution,
> but I think it's a bit odd.
> Please correct me if I'm wrong, the host receives from the authority
> keys, and uses those to do the signature checking, or the creation of
> a signature.
> Keys are send from the authority to the host.
> But why don't let the authority handle everything with the server to
> connect to, keymaterial stays on the cert authority.

I do see your point and there are products out there that provide secure
gateways like you describe. They include all kinds of other features like 
privilege escalation, timed access, session logging, etc.

I’m more interested in a web service that can sign a user’s personal key (only 
the public key needs to be given then), provide short-lived ssh credentials to 
enable access to ’special’ hosts (possibly with a different ca key), and be used 
in the host staging process to sign host keys.  

The user may never even need to directly handle the short-lived credentials. 
The service would just download them into a well-known area and provide the 
user with a link to execute a local (to the user) ssh client with the key 
information included in the command line.

This would be a way to keep the signing keys secured while allowing a high 
degree of self-service. Kind of like how X.509 certificate authorities work.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
URL: <>

More information about the openssh-unix-dev mailing list