On 17/03/19, Jochen Bern (Jochen.Bern@xxxxxxxxx) wrote: > On 03/16/2019 07:34 PM, Rory Campbell-Lange wrote: > >>> On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote: > >>> And that's when you look at using certificate based host keys. > [...] > > Is there an issue with using certificate based host keys, as Jochen > > suggests > > (FWIW, that actually was Stephen Harris <lists@xxxxxxxxxx>, as in, the > *other* guy you Cc:ed. I'm afraid that my employer could not, so far, be > interested in using SSH certificates, in spite of clear use cases, so my > experience with them is pretty much nil. :-/ ) Sorry about the quoting mistake. If you do look at certificates in future, there is a couple of cool projects on github for using a certificate authority for the client authorisation part. Although I haven't tried it, ssh-cert-authority looks quite good https://github.com/cloudtools/ssh-cert-authority Uber's pam-ussh is another possibility, but I haven't tried that either. Perhaps a certificate authority can become part of the openssh suite in future too? Rory _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev