Re: OpenSSH key signing service?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sun, Dec 24, 2017 at 11:36:09PM -0800, Peter Moody wrote:
> finally (and it seems like no one talks about this), ssh certs work
> for hosts as well. that means no more "host key doesn't match"
> warnings, ever.

This feature becomes interesting with dynamic scaling infrastructure
(e.g. AWS instances); new hosts can be deployed and the host key automagically
accepted.  It _does_ require some interesting processes at server build
time to ensure the signed cert is placed on the host and no one else could
request one :-)

There's also renewal to be taken into account.

In general, key management is going to become a large audit talking
point in the coming years (especially in the financial industry).
Signed keys is a good option for human access to servers (but IMHO
terrible for functional/service accounts because you can't put on your
normal restrictions).

I wish more clients would understand them, though :-(

-- 

rgds
Stephen

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux