Hacker News new | ask | show | jobs
by lelanthran 56 days ago
> The target machines then just need to put the CA cert in the authorized_keys files.

The word "just" is doing a lot of work there. You update authorized_keys every hour for your entire fleet?
2 comments
winstonwinston 56 days ago
No, the ssh CA model works like this: servers trust one CA, and the CA signs user keys. No more distributing individual public keys to every machine.

It is the user machine that needs new certificate signed by the CA once the short-lived one expires.

link
lelanthran 56 days ago
Understood. Not a bad idea.
link
pyvpx 56 days ago
Sounds like a job for dnssec and sshfp records

Ahh, now you have three problems…hrm

link