@cert-authority for hostbased auth - sans shosts?

Chris Rapier rapier at psc.edu
Thu Nov 16 04:09:42 AEDT 2023


On 11/11/23 9:31 PM, Damien Miller wrote:

> It's not discouraged so much as rarely used. It's very useful in some
> situations and I can think of good reasons to use it more often (e.g
> requiring both host and user identity as part of authentication).
> 
> It definitely has more rough edges than user publickey authentication -
> it's harder to set up (admin only) and harder to debug, as it requires
> access to authentication logs and we haven't put as much effort in to
> making the logs useful and actionable when something is misconfigured.

We use it extensively to manage the nodes in our HPC clusters. It ends 
up being much less difficult to maintain that the alternatives.


More information about the openssh-unix-dev mailing list