|
|
|
|
|
|
by bluehavana
5256 days ago
|
|
|
Keys get pretty unmanageable at scale. The biggest part of key management is changing keys, which is a really important part of security. Use Kerberos and a Directory Service if you can, unless you have a solution to SSH key changes. |
|
|
Sign your keys with a CA, and encode the "principals" that the user has (so, be able to log into some machines as themself, some machines as some other user), and a validity period. Revocation wasn't there yet when last I looked at it (mid-last-year), but might be there now.
One benefit is that individual connections don't need to be brokered by an external authentication/authorisation service. However, it is a relatively new feature and there may be rough edges (such as making sure all your clients have a recent enough version of the tools to work with certificates - Lion was the first MacOS X version to have it, for example).