Why not? We’ve asked hundreds of people that question. From our perspective they’re all pros, no cons. SSH certificates have been on our radar for a while. We build open source software that lets you run your own private certificate authority and manage X.509 (TLS/HTTPS) certificates. BackgroundĪt smallstep, certificates are kind of our jam. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure. The solution is to switch to certificate authentication. They’re actually problems with SSH public key authentication. None of these issues are actually inherent to SSH. The good news is this is all easy to fix.
Keys are trusted permanently, so mistakes are fail-open. Users are exposed to key material and encouraged to reuse keys across devices. SSH encourages bad security practices.Homegrown tools scatter key material across your fleet that must be cleaned up later to off-board users. Key approval & distribution is a silly waste of time. You’re left with weird new credentials to manage with little guidance on how to do so. Connecting to new hosts produces confusing security warnings. You’re probably familiar with these issues: But SSH has some pretty gnarly issues when it comes to usability, operability, and security. It’s the de-facto solution for remote administration of *nix systems.
0 kommentar(er)
