[gunapologist99]

cassh is a manager for CA's in SSH. CA's were added to SSH to satisfy people who thought PKI was a good idea; it's not, and SSH pubkeys are far better IMO. Better to use a tool like Userify (or similar like SSH.com) for pubkey management.

[e12e]

At least certificates expire, and can list capabilities right in the certificate?

[gunapologist99]

Not exactly. Yes, the certs expire, so they can't log in again, but existing sessions are not terminated.

With Userify, sessions (like tmux or screen) actually get terminated within seconds when the user's access is removed. That doesn't happen at all with certificates.

If someone's certificate expires, but they're still logged in, they'll stay logged in, because there is no mechanism to kill their session (and they can channel all kinds of things over their logged-in session).

That's an absolute nightmare for compliance.

[e12e]

Fair point - in the case of a revoked cert, it'd probably be feasible to just watch the revocation list and pkill a user's sessions - with an expired cert, I'm not sure if there's anywhere to watch for that state-change.

Probably the best one could do out of the box is set an 8 hour session limit or so?