JP Mens1d ago

OpenSSH 5.4 was released on 2010-03-08, and that is when the project added support for certificate authentication of users and hosts using an OpenSSH certificate format (not X.509)

Why am I telling you this? Because I wanted to find out since when exactly I have been putting off actually experimenting with SSH certificates, and I can now with certainty say that as far as this topic is concerned I've been an idiot over the last 16 years!

Show threadcynicalsecurity 
@jpmens tell us more? In which way is it better?
Mar 26 at 11:42amWeb
Show threadJP Mens1d ago

@cynicalsecurity oof, you're asking a beginner ...

No more TOFU (servers are implicitly trusted), principal names in cert define as *which* users I can login. Validity times (also relative) can be specified (cynicalsecurity can login for 2 days), remote commands can be enforced, and lots more probably.

Show threadJP Mens1d ago
@cynicalsecurity most importantly: no more authorized_keys files, no known_hosts updating on client (ie. servers can change host key without *** WARNING)
Show threadDrScriptt16h ago

@jpmens @cynicalsecurity I thought known_hosts still updated, just quietly / no prompt because of trusted root cert.

Am I wrong?

Show threadJP Mens13h ago

@drscriptt yes

@cynicalsecurity

Show threadbuherator1d ago
@cynicalsecurity @jpmens My former company still uses SSH certs. From top of my head:

- auditable root access without su/sudo
- expiration (no left over access)
- user restrictions bound to certs (instead of server config)

+ human user priv keys were HW bound

https://github.com/silentsignal/zsca
GitHub - silentsignal/zsca: Zero-trust SSH CA

Zero-trust SSH CA. Contribute to silentsignal/zsca development by creating an account on GitHub.

GitHub
Show threadcynicalsecurity 1d ago
@buherator OK, this is *nice*… another one who has not been reading the manual since 2010 joins the club … @jpmens
Show threadbuherator1d ago
@cynicalsecurity TBH I first learned about SSH certs from Facebook of all things:

https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/

@jpmens
Scalable and secure access with SSH

Visit the post for more.

Engineering at Meta
Show threadJP Mens1d ago

@buherator exactly that post is what got me interested at the time (before I put it all aside for many years :-( )

@cynicalsecurity

Show threadfG!1d ago
@buherator @cynicalsecurity @jpmens I built a solution based on that feature with a YubiHSM to generate short term certificates for security agents to log into machines, do their job, and get out, without worrying about permanent accounts or certificate management. Worked great 🙂