Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Hmm, what I've always wondered: why can't I have the SSH public key of the server signed/certified the same way as a SSL public key?

That could e.g. allow me to specify "mark all SSH keys certified by company-internal CA as trusted" or putting the expected certificate into DNS...



This exists - http://man7.org/linux/man-pages/man1/ssh-keygen.1.html#CERTI... - though the tooling is a bit bare-bones. There are some tools written to use certificates though, such as Netflix's BLESS (https://github.com/Netflix/bless), Gravitational Teleport (https://github.com/gravitational/teleport) and my own (https://github.com/nsheridan/cashier)


This has actually been a feature in OpenSSH since 5.4, see https://blog.habets.se/2011/07/OpenSSH-certificates.html or the CERTIFICATES section of `ssh-keygen(1)`.


similarly, x.509 is supported in a variant[0] of OpenSSH. For certain kinds of devices, this may be preferable.

[0]http://roumenpetrov.info/secsh/


Facebook does something similar with SSH-access to their infrastructure.

https://code.facebook.com/posts/365787980419535/scalable-and...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: