SSH certificates - restricting to host groups

Brian Candler b.candler at
Sat Feb 1 03:21:21 AEDT 2020

On 31/01/2020 15:37, Michael Ströder wrote:
> (BTW: yubikey is slow. So if you have admins accessing many machines in
> one go you will get a notable latency during first SSH connection.)

I meant using a single Yubikey as the CA sign the certificates.

I'm thinking of an organization where the number of admins is in the low 
tens.  The end-game of having daily keys and certs loaded directly into 
ssh-agent is very appealing, but I'm not sure we're ready to jump right 
there yet.  Getting people over to certs and starting to rip out 
~/.ssh/authorized_keys is an important first step.

As for the freshness of the CRL file: this is something we can easily 
monitor and alert on in prometheus.



More information about the openssh-unix-dev mailing list