SSH certificates: the better SSH experience

45 points by raymii

viraptor

For the "Automate host key certificate distribution?" section, author skips over the part where the client is getting validated.

For EC2, I've got an automated system where the instances request signed keys from a lambda which validates the uptime (no new certificates for a 10 day old instance) and tags (don't grant the cert to just about about host). https://codeberg.org/viraptor/auto-ec2-host-key

antonmedv

Code boxes are not scrollable on mobile

symgryph

Would this work with SK keys?

poptart

It does! When I wrote about SSH certs the FIDO key support came out like a week later and it works out of the box. In fact you can do fun things like restrict commands to specific keys, so when you swap in a key it will behave differently on the same command.

erock

Nice article! We recently introduced ssh cert support for pico.sh (https://pico.sh/access-control) and we agree the UX is better. It gives the account admin full control over the keypairs that are allowed to authn and by leveraging principals we have a mechanism for authz. Revocation is simply we have to implement but it's pretty simple: reject this pubkey from authn.

Golang's crypto/ssh made ssh certs ~100 loc to implement

tonyg

You might be interested in https://codeberg.org/forgejo/forgejo/pulls/11746 .

ahelwer

[Disclaimer, this company once paid me for a contract, which is how I found out about them] SSH certs are also managed pretty well by Teleport. It works by having an agent live on all your nodes to set up a short-lived certificate for just-in-time access whenever you want to SSH in. The author links to SmallStep SSH, which from a cursory glance seems similar.