SSH certificates - restricting to host groups

Damien Miller djm at
Fri Jan 31 10:06:59 AEDT 2020

On Thu, 30 Jan 2020, Christian, Mark wrote:

> However, when alice is no longer authorized, and assuming her cert is
> still valid, you're going to want to use some configuration mgmt to
> manage RevokedKeys, otherwise ensure that alice's cert is valid for a
> short period of time. 

AFAIK most organisations that use ssh certificates give them short
(~1 day) lifetimes to avoid the risk of lingering authority, but it's
still useful to have a tested revocation path for the odd case where
you actively need to kill a key/cert.


More information about the openssh-unix-dev mailing list