I'm really curious about how others are handling SSH access for large teams. We recently published a blog post discussing the limitations of using SSH public key authentication, especially in high-paced environments where issues like key sprawl and unclear access management can become significant headaches. The article proposes that SSH certificates could serve as a more scalable and secure alternative to public keys, similar to the approach used in modern identity systems that offer short-lived credentials. I'm interested in hearing from the community: Are any of you utilizing SSH certificates in a production setting? What tools or workflows do you use for issuing, rotating, and revoking these certificates? Also, if you're still relying on static keys, what are the challenges you're facing when considering a switch?
6 Answers
We now use OIDC, and OPKSSH has been incredibly scalable for our enterprise needs.
How do you handle user and group management across multiple servers? Do you need to install OPKSSH on each server and manage users manually?
I noticed you skipped discussing the challenges around revoking and cycling out expired CAs, which can be tricky when dealing with OpenSSH's X.509 implementation.
Do you have resources that dive deeper into this? I know that in X.509, a root CA can't be revoked by default. SSH certs differ a bit since they don't use X.509 format, but I'd love to understand more.
Check out discussions from u/divad1196; they make solid points about the differences between SSH certificates and X.509 certificates, especially about CA hierarchies.
I'm still using SSH keys. Do SSH certificates work like SSL/TLS certs? Do I need to use a service like DigiCert, or can I self-sign them?
I've always self-signed my keys. I'm curious if others do the same.
Yes, they have a different format but generally function similarly to SSL/TLS certs. You'll set up a PKI infrastructure, so your root CA will be self-signed, and the keys users authenticate with are signed by your CA.
I think SSH certs might add more complexity than using bastion hosts, which can already scale well for access management. Why not just manage access through bastions?
With SSH certificates, a new user just needs certificate request permission, and you skip individual server updates, making it more manageable.
But some argue bastion setups can handle thousands of users effectively, managing a centralized entry point for security.
I still use SSH keys for some projects, and configuration management tools like Ansible make it straightforward. I prefer SSH over SSM for AWS-oriented tasks!
I'm curious about how this setup would integrate with PIV certificates. If SSH tunnels could be established with PIV certs, that could streamline a lot of processes.
Same! I hope this simplifies things; I've always seen PIV used for different purposes.
While PIV certificates are likely X.509, OpenSSH supports a simpler format. There are patches that might help if you want to explore using PIVs.
Thanks for the recommendation! This tool looks perfect for what I've been searching for.