On Sun, Dec 24, 2017 at 11:36:09PM -0800, Peter Moody wrote: > finally (and it seems like no one talks about this), ssh certs work > for hosts as well. that means no more "host key doesn't match" > warnings, ever. This feature becomes interesting with dynamic scaling infrastructure (e.g. AWS instances); new hosts can be deployed and the host key automagically accepted. It _does_ require some interesting processes at server build time to ensure the signed cert is placed on the host and no one else could request one :-) There's also renewal to be taken into account. In general, key management is going to become a large audit talking point in the coming years (especially in the financial industry). Signed keys is a good option for human access to servers (but IMHO terrible for functional/service accounts because you can't put on your normal restrictions). I wish more clients would understand them, though :-( -- rgds Stephen _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
