On 1/31/20 5:21 PM, Brian Candler wrote: > On 31/01/2020 15:37, Michael Ströder wrote: >> (BTW: yubikey is slow. So if you have admins accessing many machines in >> one go you will get a notable latency during first SSH connection.) > > I meant using a single Yubikey as the CA sign the certificates. Ah, I've misread that. Just using temporary key/cert files makes things easier at the client side. > I'm thinking of an organization where the number of admins is in the low > tens. The end-game of having daily keys and certs loaded directly into > ssh-agent is very appealing, but I'm not sure we're ready to jump right > there yet. Getting people over to certs and starting to rip out > ~/.ssh/authorized_keys is an important first step. I'm not sure I get your reasoning why having longer cert validity period makes things easier for the user. IMHO the opposite is true. If your installation just works on all required OS platforms (client and server) it's pretty easy to teach people how to use it to get a short-term user cert once or twice a day. Anyway they have to be capable to do this at any time no matter how long the cert validity period is. Ciao, Michael. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
