prompt to update a host key

Rory Campbell-Lange rory at campbell-lange.net
Mon Mar 18 08:49:20 AEDT 2019


On 17/03/19, Jochen Bern (Jochen.Bern at binect.de) wrote:
> On 03/16/2019 07:34 PM, Rory Campbell-Lange wrote:
> >>> On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote:
> >>> And that's when you look at using certificate based host keys.
> [...]
> > Is there an issue with using certificate based host keys, as Jochen
> > suggests
> 
> (FWIW, that actually was Stephen Harris <lists at spuddy.org>, as in, the
> *other* guy you Cc:ed. I'm afraid that my employer could not, so far, be
> interested in using SSH certificates, in spite of clear use cases, so my
> experience with them is pretty much nil. :-/ )

Sorry about the quoting mistake.

If you do look at certificates in future, there is a couple of cool
projects on github for using a certificate authority for the client
authorisation part.

Although I haven't tried it, ssh-cert-authority looks quite good
https://github.com/cloudtools/ssh-cert-authority

Uber's pam-ussh is another possibility, but I haven't tried that either.

Perhaps a certificate authority can become part of the openssh suite in
future too?

Rory



More information about the openssh-unix-dev mailing list