undefined | Better HN

0 pointsgroestl7y ago0 comments

A side note on the last part: @cert-authority is an underrated feature of OpenSSH. More companies should use it to make their infrastructure safer to use.

0 comments

3 comments · 1 top-level

chupasaurus7y ago· 2 in thread

It has flaws in usage: issuer cert per group isn't easy to manage (and makes pubkeys 1000+ characters long), you have to distribute CRLs, one error in sshd_config could make server unmanagable (multiplied by your config manager). I haven't seen a pure SSH CA automation project too.

groestlOP7y ago

Can you elaborate on the first issue?

chupasaurus7y ago

You can make a certificate with multiple principals, but in order to add/remove some group access you'll have to reissue the public cert (and add previous to CRL with removal of some), which is OK for short-lived certs. With multiple issuers, you can add/remove public keys for different CAs but the resulting meta public key will be a set of keys actually.

j / k navigate · click thread line to collapse