OpenSSH 5.4 was released on 2010-03-08, and that is when the project added support for certificate authentication of users and hosts using an OpenSSH certificate format (not X.509)
Why am I telling you this? Because I wanted to find out since when exactly I have been putting off actually experimenting with SSH certificates, and I can now with certainty say that as far as this topic is concerned I've been an idiot over the last 16 years!
sshd-session[4063]: error: Certificate invalid: expired
Really good!
sshd-session[4077]: error: Certificate invalid: name is not a listed principal
@cynicalsecurity oof, you're asking a beginner ...
No more TOFU (servers are implicitly trusted), principal names in cert define as *which* users I can login. Validity times (also relative) can be specified (cynicalsecurity can login for 2 days), remote commands can be enforced, and lots more probably.
@jpmens @cynicalsecurity I thought known_hosts still updated, just quietly / no prompt because of trusted root cert.
Am I wrong?
@buherator exactly that post is what got me interested at the time (before I put it all aside for many years :-( )
@pmevzek good ideas in that slide deck, and thank you -- interesting.
Pity that the BLESS software (meanwhile put to pasture by Netflix) requires AWS. I've also been looking at step (https://smallstep.com/blog/use-ssh-certificates/) which seems well documented etc, but they seem to need an IDP which is probably fine for very large orgs but surely overkill for smallish projects.
SSH has some pretty gnarly issues when it comes to usability, operability, and security. The good news is this is all easy to fix. SSH is ubiquitous. It’s the de-facto solution for remote administration of *nix systems. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.
This is a guide to setting up a YubiKey for use as an offline SSH certificate authority. This assumes a brand new YubiKey with no prior configuration on it, to be used solely as a CA. Why? Typically a CA should be on a secured, isolated machine. Using a dedicated YubiKey means you can isolate your CA and keep it in a drawer so that it can’t be accessed. YubiKeys offer protections such as requiring a PIN and/or touching the key for PIV operations.
@jamesog very good writeup and thank you.
I see you've added stuff to ensure I had a coffee before starting!
I stumbled over "first" and "second" the as order is swapped. (Just a small nit.)
@jamesog I think there might be a copy/paste error here, or is it actually the Yubikey which is inaccurately reporting the slot number?
Checking my own 5C NFC (version 5.4.3) I note slot numbers are strangely reported... [strange meaning "I don't understand"]
Slot 8A (RETIRED9):
JP Mens
Howard Chu @ Symas
cynicalsecurity 
DrScriptt
buherator
fG!
Hans van Zijst
David de Groot
Patrick Mevzek
James O'Gorman