Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is completely solved by SSH certificates. You still have the same private key in the hardware, but instead of using the public key directly, you issue temporary (~1 hour) SSH key certificates. I even automated it using an SSH proxy.

The target machines then just need to put the CA cert in the authorized_keys files.

 help



> The target machines then just need to put the CA cert in the authorized_keys files.

The word "just" is doing a lot of work there. You update authorized_keys every hour for your entire fleet?

reply


No, the ssh CA model works like this: servers trust one CA, and the CA signs user keys. No more distributing individual public keys to every machine.

It is the user machine that needs new certificate signed by the CA once the short-lived one expires.

reply


Understood. Not a bad idea.

reply


Sounds like a job for dnssec and sshfp records

Ahh, now you have three problems…hrm

reply


SSH CAs are not incompatible with my argument! An SSH CA can sign short-lived certificates for just-in-time generated keys.

reply


shameless plug: if your are looking for software that does basically this, you can try my open source project: https://github.com/azophy/sshifu

Its still early, but my aim for this project is to be the simplest/easiest "SSH login via SSO" available on the market. open for feedback & suggestion

reply




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: