On Wed, May 3, 2017 at 6:01 PM, Damien Miller <djm@xxxxxxxxxxx> wrote: > > > On Wed, 3 May 2017, Stephen Harris wrote: > >> On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote: >> > Hi Devin, have you looked at using openssh certificates to help manage >> [...] >> > While the feature has been around for a while now (and is really >> > useful), there doesn't seem to be huge amount of documentation around >> > it. I found the following useful when getting a client of my running >> >> Yeah, when I wrote about it last year I didn't find many clients >> (just the openssh client) understood it: >> https://www.sweharris.org/post/2016-10-30-ssh-certs/ > > Nice guide. You might want to mention hostname canonicalisation[1] in > relation to host certs, it keeps things happy when users specify > unqualified hostnames. > >> How many clients do work with CA signed keys? > > The Go x/crypto/ssh package supports OpenSSH certificates and offers > a callback that's pretty easy to hook up with them. and how > I don't know whether anybody is using it for that though. we use the go stuff to write certs to to an ssh-agent process, so it's still just an openssh client that's using the resulting cert/key the terminal emulation stuff scares me more than writing/maintaining an ssh ca, so I've never really tried to write a full openssh client replacement. > I do know of some of certified host keys in the wild with only OpenSSH > as the client. > > -d > > [1] http://blog.djm.net.au/2014/01/hostname-canonicalisation-in-openssh.html > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev