SSH certificates - restricting to host groups

Michael Ströder michael at
Sat Feb 1 03:47:43 AEDT 2020

On 1/31/20 5:21 PM, Brian Candler wrote:
> On 31/01/2020 15:37, Michael Ströder wrote:
>> (BTW: yubikey is slow. So if you have admins accessing many machines in
>> one go you will get a notable latency during first SSH connection.)
> I meant using a single Yubikey as the CA sign the certificates.

Ah, I've misread that. Just using temporary key/cert files makes things
easier at the client side.

> I'm thinking of an organization where the number of admins is in the low
> tens.  The end-game of having daily keys and certs loaded directly into
> ssh-agent is very appealing, but I'm not sure we're ready to jump right
> there yet.  Getting people over to certs and starting to rip out
> ~/.ssh/authorized_keys is an important first step.

I'm not sure I get your reasoning why having longer cert validity period
makes things easier for the user. IMHO the opposite is true.

If your installation just works on all required OS platforms (client and
server) it's pretty easy to teach people how to use it to get a
short-term user cert once or twice a day. Anyway they have to be capable
to do this at any time no matter how long the cert validity period is.

Ciao, Michael.

More information about the openssh-unix-dev mailing list