undefined | Better HN

0 pointsraxxorraxor1y ago0 comments

I miswrote my comment, I mean that I am skeptical of client auth, otherwise auth is of course sensible. But I think you understood that and client auth surely can make sense.

I assume this is for x509 certs specifically? I usually use simple ssh keys to identify users and servers towards each other, never really thought about entire certificate chains.

I would assume the number of devices potentially needing certificates is probably too much for PKI, but it would still be nice to know their reasoning.

0 comments

1 comments · 1 top-level

evanjrowley1y ago

I suppose they might want to stop issuing client auth certificates because it means anyone with a PKI-signed cert could potentially authenticate as a client to a server. With PKI being a series of trust relationships among CAs, there's effectively no control over what gets accepted vs. rejected. I suppose from that perspective only private CAs make sense.

If you want to try using a private CA for x509 certificates to do SSH client authentication, I know of a couple solutions that make it easy to do:

Smallstep: https://smallstep.com/docs/tutorials/ssh-certificate-login/

Infiniscal: https://infisical.com/docs/documentation/platform/ssh/overvi...

You can also do it the hard way. For example, here's how it can be done to SSH into Cisco network gear: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9...

j / k navigate · click thread line to collapse