OpenSSH contract development / patch

Adam Eijdenberg adam at
Thu May 4 09:37:59 AEST 2017

On Thu, May 4, 2017 at 5:43 AM, Devin Nate <devin.nate at> wrote:
> Additionally, we’re looking for some creative advice around handling thousands of keys in our specific environment.

Hi Devin, have you looked at using openssh certificates to help manage
your key distribution problem? By issuing host certificates signed by
a common CA, it means that your clients need only a single entry in
their known_hosts file, and by issuing user certificates signed by a
common CA, you can simplify management of the authorized_keys file (or
their certificate equivalent, authorized_principals).

While the feature has been around for a while now (and is really
useful), there doesn't seem to be huge amount of documentation around
it. I found the following useful when getting a client of my running
with it: and in their case we ended up
open-sourcing the command-line tool we built that does SSO with their
IdP, fetch a short-lived certificate and then automatically configure
the client SSH to use it:

Facebook also published a recent article about their use of SSH
certificates here:

More information about the openssh-unix-dev mailing list