OpenSSH 5.4 was released on 2010-03-08, and that is when the project added support for certificate authentication of users and hosts using an OpenSSH certificate format (not X.509)

Why am I telling you this? Because I wanted to find out since when exactly I have been putting off actually experimenting with SSH certificates, and I can now with certainty say that as far as this topic is concerned I've been an idiot over the last 16 years!

@jpmens tell us more? In which way is it better?

@cynicalsecurity oof, you're asking a beginner ...

No more TOFU (servers are implicitly trusted), principal names in cert define as *which* users I can login. Validity times (also relative) can be specified (cynicalsecurity can login for 2 days), remote commands can be enforced, and lots more probably.

@cynicalsecurity most importantly: no more authorized_keys files, no known_hosts updating on client (ie. servers can change host key without *** WARNING)

@JP Mens Same here. I was immediately interested when I first read about it, but haven't actually experimented with it either....

Putting it back on the to do list.

@hans c'est presque magique :-)

@cynicalsecurity @jpmens My former company still uses SSH certs. From top of my head:

- auditable root access without su/sudo
- expiration (no left over access)
- user restrictions bound to certs (instead of server config)

+ human user priv keys were HW bound

https://github.com/silentsignal/zsca

sshd-session[4063]: error: Certificate invalid: expired

Really good!

sshd-session[4077]: error: Certificate invalid: name is not a listed principal

@jpmens great but.... I kinda feel like why invent yet another new cert format when you could've just used attribute extensions in X.509?

@hyc simplicity, ease of use, easy to handle and copy/paste?

here's a certificate

@buherator OK, this is *nice*… another one who has not been reading the manual since 2010 joins the club … @jpmens

@cynicalsecurity TBH I first learned about SSH certs from Facebook of all things:

https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/

@jpmens

@buherator exactly that post is what got me interested at the time (before I put it all aside for many years :-( )

@cynicalsecurity

and if need be (I'm just verifying it actually works) we can sign SSH certificates with #Ansible

@buherator @cynicalsecurity @jpmens I built a solution based on that feature with a YubiHSM to generate short term certificates for security agents to log into machines, do their job, and get out, without worrying about permanent accounts or certificate management. Worked great 🙂