Hacker News Viewer

Top 20

SSH certificates: the better SSH experience

by jandeboevrie on 4/3/2026, 9:52:20 AM

https://jpmens.net/2026/04/03/ssh-certificates-the-better-ssh-experience/

Comments

by: thomashabets2

Every couple of months someone re-discovers SSH certificates, and blogs about them.<p>I&#x27;m guilty of it too. My blog post from 15 years ago is nowhere near as good as OP&#x27;s post, but if I though me of 15 years ago lived up to my standards of today, I&#x27;d be really disappointed: <a href="https:&#x2F;&#x2F;blog.habets.se&#x2F;2011&#x2F;07&#x2F;OpenSSH-certificates.html" rel="nofollow">https:&#x2F;&#x2F;blog.habets.se&#x2F;2011&#x2F;07&#x2F;OpenSSH-certificates.html</a>

4/3/2026, 1:10:50 PM

by: Tepix

The author lists all the advantes of CA certificates, yet doesn&#x27;t list the disadvantages. OTOH, all the many steps required to set it up make the disadvantages rather obvious.<p>Also, I&#x27;ve never had a security issue due to TOFU, have you?

4/3/2026, 2:07:18 PM

by: gunapologist99

Anyone tried out Userify? It creates&#x2F;removes ssh pubkeys locally so (like a CA) no authn server needs to be online. But unlike certs, active sessions and processes are terminated when the user access is revoked.

4/3/2026, 3:54:39 PM

by: linsomniac

In our dev&#x2F;stg environment we reinstall half our machines every morning (largely to test our machine setup automation), and SSH host certificates make that so much nicer than having to persist host keys or remove&#x2F;replace them in known_hosts. Highly recommended.

4/3/2026, 1:54:43 PM

by: bobo56539

With the recent wave of npm hacks stealing private keys, I wanted to limit key&#x27;s lifetimes.<p>I&#x27;ve set up a couple of yubikeys as SSH CAs on hosts I manage. I use them to create short lived certs (say 24h) at the start of the day. This way i only have to enter the yubikey pin once a day.<p>I could not find an easy way to limit maximum certificate lifetime in openssh, except for using the AuthorizedPrincipalCommand, which feels very fragile.<p>Does anyone else have any experience with a similar setup? How do you limit cert max lifetime?

4/3/2026, 3:03:49 PM

by: moviuro

All those articles about SSH certificates fall short of explaining how the revocation list can&#x2F;should be published.<p>Is that yet another problem that I need to solve with syncthing?<p><a href="https:&#x2F;&#x2F;man.openbsd.org&#x2F;ssh-keygen.1#KEY_REVOCATION_LISTS" rel="nofollow">https:&#x2F;&#x2F;man.openbsd.org&#x2F;ssh-keygen.1#KEY_REVOCATION_LISTS</a>

4/3/2026, 3:40:44 PM

by: jcalvinowens

You can also address TOFU to some extent using SSHFP DNS records.<p>Openssh supports checking the DNSSEC signature in the client, in theory, but it&#x27;s a configure option and I&#x27;m not sure if distros build with it.

4/3/2026, 2:46:46 PM

by: Thom2000

Sadly services such as Github don&#x27;t support these so it&#x27;s mostly good for internal infrastructure.

4/3/2026, 1:30:23 PM