Hi, On Wed, Apr 22, 2015 at 02:51:02PM -0700, Reuben Hawkins wrote: > Can a signed key from a common CA fit in this process somewhere? I do > want to avoid forcing a requirement onto our customers to get keys > signed by us, or anybody else. "common" = "common to the client and server", no external parties needed. Recent OpenSSH versions can handle signed keys, so if your management system can generate keys for both client and server, and sign them, all the systems know that they all belong to the same management domain - and you could trust all keys signed with a given signature (if I understood that part right, didn't try it yet). Might not fit your need, but worth consideration. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert@xxxxxxxxxxxxxx fax: +49-89-35655025 gert@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev