@jpmens tell us more? In which way is it better?

@JP Mens Same here. I was immediately interested when I first read about it, but haven't actually experimented with it either....

Putting it back on the to do list.

@cynicalsecurity @jpmens My former company still uses SSH certs. From top of my head:

- auditable root access without su/sudo
- expiration (no left over access)
- user restrictions bound to certs (instead of server config)

+ human user priv keys were HW bound

https://github.com/silentsignal/zsca

@jpmens great but.... I kinda feel like why invent yet another new cert format when you could've just used attribute extensions in X.509?

@buherator OK, this is *nice*… another one who has not been reading the manual since 2010 joins the club … @jpmens

@cynicalsecurity TBH I first learned about SSH certs from Facebook of all things:

https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/

@jpmens

@buherator @cynicalsecurity @jpmens I built a solution based on that feature with a YubiHSM to generate short term certificates for security agents to log into machines, do their job, and get out, without worrying about permanent accounts or certificate management. Worked great 🙂

@jpmens I've been doing this for a while and it's been great https://jamesog.net/2023/03/03/yubikey-as-an-ssh-certificate-authority/

@jpmens I find this a good enlightening past experiment with all sorts of nice properties: https://speakerdeck.com/rlewis/how-netflix-gives-all-its-engineers-ssh-access-to-instances-running-in-production (ephemeral certificates with a static CA) and hence https://github.com/Netflix/bless

@jpmens @cynicalsecurity I thought known_hosts still updated, just quietly / no prompt because of trusted root cert.

Am I wrong?

@jpmens Ooh thanks. I’ll check that later. It was stitched together from a lot of different notes and terminal scrollback!

@jpmens That’s my mistake I think. I had tried with several Yubikeys to test the process and I vaguely recall being unsure which slot to use (or if it even mattered). I’ll check that later too. Thanks!

@jpmens I appreciate the feedback :-)

@jpmens Thanks for all the feedback. I've made the proper sacrifices to the Hugo maintainers and pushed some updates to the post. I made a few extra clarifications and added a script I started using since I wrote the post too.

@jpmens Haha it's fine! It's made me realise I need to fix this setup once and for all.