Mastodawn

OpenSSH 5.4 was released on 2010-03-08, and that is when the project added support for certificate authentication of users and hosts using an OpenSSH certificate format (not X.509)

Why am I telling you this? Because I wanted to find out since when exactly I have been putting off actually experimenting with SSH certificates, and I can now with certainty say that as far as this topic is concerned I've been an idiot over the last 16 years!

Show thread

cynicalsecurity

1d ago

@jpmens tell us more? In which way is it better?

Show thread

JP Mens 1d ago

@cynicalsecurity oof, you're asking a beginner ...

No more TOFU (servers are implicitly trusted), principal names in cert define as *which* users I can login. Validity times (also relative) can be specified (cynicalsecurity can login for 2 days), remote commands can be enforced, and lots more probably.

Show thread

JP Mens

@cynicalsecurity most importantly: no more authorized_keys files, no known_hosts updating on client (ie. servers can change host key without *** WARNING)

Show thread

DrScriptt 1d ago

@jpmens @cynicalsecurity I thought known_hosts still updated, just quietly / no prompt because of trusted root cert.

Am I wrong?

Show thread

JP Mens 1d ago

@drscriptt yes

@cynicalsecurity