On Thu, May 4, 2017 at 5:43 AM, Devin Nate <devin.nate@xxxxxxxxxxx> wrote: > Additionally, we’re looking for some creative advice around handling thousands of keys in our specific environment. Hi Devin, have you looked at using openssh certificates to help manage your key distribution problem? By issuing host certificates signed by a common CA, it means that your clients need only a single entry in their known_hosts file, and by issuing user certificates signed by a common CA, you can simplify management of the authorized_keys file (or their certificate equivalent, authorized_principals). While the feature has been around for a while now (and is really useful), there doesn't seem to be huge amount of documentation around it. I found the following useful when getting a client of my running with it: https://ef.gy/hardening-ssh and in their case we ended up open-sourcing the command-line tool we built that does SSO with their IdP, fetch a short-lived certificate and then automatically configure the client SSH to use it: https://github.com/continusec/geecert Facebook also published a recent article about their use of SSH certificates here: https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev