JP MensSSH certificates: the better SSH experience
https://jpmens.net/2026/04/03/ssh-certificates-the-better-ssh-experience/
edit: I have clarified some of the examples and have incorporated most of your feedback for which many thanks!
It occurs to me that we can deploy SSH host keys and their certificates to nodes using #Ansible as it has two existing modules we can use for the task.
https://jpmens.net/2026/04/07/deploying-ssh-host-keys-and-certificates-with-ansible/
Stefan Eissing@jpmens Thanks! This is neat for hosts that you *own*, e.g. where you have control of the CA and access to its private key which one needs for signing hosts/user keys.
The "traditional" known_hosts/authorized keys was made for multi-user systems where you want secure connections between systems where you do not have root privileges.
But nowadays, most usage falls into the first category, I assume. And a CA makes that easier.
Again, thanks for explaining the details.
uɐıʇsɐqǝs@jpmens Thanks for the long write up. I haven't read it yet, but I certainly will. Just this week our junior dev started rolling out something like this and I have yet to understand what she did and how this all works 😁
@jpmens your post helped me indeed in getting the basic concept. But our setup will involve step ca and gitlab as auth provider. So yes, definitely will have her give me a lecture on this after vacation 😁👍
Job Snijders@jpmens thank you for the write-up! This reminded me I had a todo item to start a "Call for WG Adoption" for the internet-draft that specifies the SSH certificate format! Now done :-) https://mailarchive.ietf.org/arch/msg/ssh/5WHJgASVjhX-ihyEx1Ats_1JaaY/
I wonder if any of your future posts will trigger todo items on my side haha
@jpmens Dear DP Mens, my name absolutely is not Rob.
@job a thousand excuses, and I cannot even blame autocorrect (vi doesn’t have it here). Also embarassing because I well know you’re Job.
Fixed and pushing as we speak!
@jpmens original Bill Joy vi or some of the modern variants that started appearing in the last 3 decades? I’m quite fond of the original that ships with openbsd 🙂
@job I should learn to say “vi - like”; I use whatever’s on the system, also vim obviously, but I’m not at all familiar with its “bolted-on operating system”, a.k.a. plugins. :)
@jpmens of course seasoned admins like yourself will improvise, adapt, and overcome! I turned my back on vim when upstream changed a color scheme I relied on. I realised I had no idea how to turn it back. Then I embraced openbsd vi, which doesn’t have colors, and there I added support for showing the name in the status bar of the file that’s currently being edited and added a percentage to the ruler to show how far you are into a file. Now it’s _nearly_ perfect 😉
Mischa 🐡😎
@job now running on macOS ;-)
I haven’t actually checked whether and how “original Bill Joy” this is: https://ex-vi.sourceforge.net
brb, have to wash my hands — I used sourceforge :-(
Alex@jpmens I've read the man pages and write-ups like these before. Users (and many sysadmins) can just barely handle SSH keys as is.
I am having a hard time imagining a robust process around granting users access to remote systems and network devices with this.
Generating a user's private key on their behalf would be a huge legal liability under legislation like NIS2.
Have you done any successful deployments of CAs?
Roger Light@jpmens at first glance this does look awesome, thank you. I didn't spot anything related to revoking access, is this supported?
@ralight I omitted key revocation from the blog post to not add even more bloat, but I assume I should do it ...
Yes, key revocation is possible, and sshd has a RevokedKeys file which can be added to by ssh-keygen