HN
Today

SSH certificates: the better SSH experience

This post explains the often-overlooked yet powerful world of SSH certificates, offering a superior alternative to traditional SSH key management. It delves into the benefits like eliminating 'Trust on First Use' prompts and simplifying host key rotation, making SSH connections more seamless and secure in large environments. The Hacker News discussion explores the practicalities and pitfalls, debating whether the added complexity is worth the significant security and operational advantages.

89
Score
33
Comments
#8
Highest Rank
10h
on Front Page
First Seen
Apr 3, 2:00 PM
Last Seen
Apr 3, 11:00 PM
Rank Over Time
1714118141516182128

The Lowdown

The author presents SSH certificates as a "better SSH experience," addressing common frustrations with traditional SSH key management. These include the problematic "Trust on First Use" (TOFU) prompt, the verbose warnings when host keys change, and the manual overhead of distributing public keys to authorized_keys files.

The article thoroughly explains how SSH certificates resolve these issues, highlighting key advantages and providing a step-by-step guide to implementation:

  • Eliminating TOFU: Clients implicitly trust servers (and vice-versa) via a central Certificate Authority (CA), removing the need for manual fingerprint verification.
  • Simplified Key Management: No more deploying individual public keys to authorized_keys files. User and host keys are signed by a CA.
  • Graceful Host Key Rotation: Servers can roll host keys without triggering client-side warnings or requiring known_hosts file updates.
  • Granular Control and Expiration: Certificates can enforce specific user principals, source IP prefixes, forced commands, and have defined validity periods, automatically revoking access upon expiration.
  • Automated Provisioning: The author demonstrates a simple Python-based "host key bot" to automate the signing and distribution of host certificates, showcasing the potential for large-scale deployment.

The setup involves creating an SSH CA key pair, signing user public keys with specified principals and validity, and signing host public keys. Both clients and servers are configured to trust the CA's public key, centralizing trust management. A detailed checklist is provided for troubleshooting common issues during setup.

In conclusion, the article argues that SSH certificates offer a significantly improved and more secure SSH workflow, especially for environments with numerous users and hosts. It points to projects like Smallstep SSH for more robust automation beyond the basic proof-of-concept presented.

The Gossip

Certificates: The Perennial Post

Many commenters note that the topic of SSH certificates is a recurring one on Hacker News, with users 'rediscovering' their benefits every few months. Some share links to their own older blog posts on the subject, acknowledging the timeless nature of the problem and solution.

Practicalities and Pitfalls: To Certify or Not to Certify?

This is the most debated theme. Proponents highlight the clear advantages for large, dynamic environments: easier host key rotation, centralized management, and temporary access control. However, critics point out significant disadvantages. They argue that certificates move complexity up the stack, creating a single, critical point of failure (the CA) that must be constantly available and correct. Concerns include 'janky workflows,' issues with universal support (e.g., GitHub's limited support, tinyssh), and the inherent difficulty of true revocation when relying on certificate expiration.

TOFU's True Threat: Myth or Man-in-the-Middle?

The discussion questions the real-world security implications of Trust On First Use (TOFU). Some argue that TOFU is rarely a practical security issue unless there's a highly sophisticated attacker (e.g., ISP compromise, device on LAN) combined with a first-time connection. Others defend its importance, likening ignoring TOFU warnings to neglecting car seatbelts, suggesting that while inconvenient, it's a critical safety measure. The consensus leans towards the 'secure way' being out-of-band key verification, regardless of certificates.

Alternative Access Architectures

Commenters discuss alternative or complementary solutions to SSH certificate management. Userify is mentioned as a product that manages SSH public keys locally on nodes via HTTPS, aiming to provide benefits similar to certificates without their perceived workflow complexity or single point of failure. SSHFP DNS records are also brought up as a method to address TOFU without relying on a full CA infrastructure, though concerns about DNSSEC support are raised.