SSH certificates - restricting to host groups
Damien Miller
djm at mindrot.org
Fri Jan 31 10:06:59 AEDT 2020
On Thu, 30 Jan 2020, Christian, Mark wrote:
> However, when alice is no longer authorized, and assuming her cert is
> still valid, you're going to want to use some configuration mgmt to
> manage RevokedKeys, otherwise ensure that alice's cert is valid for a
> short period of time.
AFAIK most organisations that use ssh certificates give them short
(~1 day) lifetimes to avoid the risk of lingering authority, but it's
still useful to have a tested revocation path for the odd case where
you actively need to kill a key/cert.
-d
More information about the openssh-unix-dev
mailing list