How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

To: debian-user@lists.debian.org
Subject: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)
From: rhkramer@gmail.com
Date: Fri, 3 Jun 2022 11:46:19 -0400
Message-id: <[🔎] 202206031146.19437.rhkramer@gmail.com>
In-reply-to: <[🔎] CAFMGiz-8MQE5R-x7hjCAYJVOz9VdH8xggM8333JqtaAgw4EdFQ@mail.gmail.com>
References: <[🔎] CAFMGiz-8MQE5R-x7hjCAYJVOz9VdH8xggM8333JqtaAgw4EdFQ@mail.gmail.com>

On Friday, June 03, 2022 10:43:53 AM Tom Browder wrote:
> I have been using ssh for logging in to my remote hosts for many years, but
> I have NOT been using ssh-agent.

I'm intentionally not addressing your specific questions.

For me, your post is rather timely, because I'm digging into ssh and was 
trying to understand the different methods of authentication and trying to 
decide what was best for me.  (I have a SOHO with up to 5 nodes at time (right 
now only 3.)

From some of my reading, ssh certificates seem to be highly recommended, 
although it has seemed difficult for me to get all the details I want.

The best resource I've found so far is:

https://betterprogramming.pub/how-to-use-ssh-certificates-for-scalable-secure-
and-more-transparent-server-access-720a87af6617?gi=8a3ac1f658bc

One problem with that article is that it seems that there are about 3 blanks 
in it where, for example, the text mentions something like ~"use this command" 
and then there is a big blank spot.  (I've tried viewing the page in 2 to 4 
different browsers, depending on how you count them -- some older versions of 
firefox, a fairly recent version of firefox, and an older version of konqueror).

I've looked for a way to contact the author but haven't found anything so far.

Some of the advantages of certificates are (iiuc):

   * maybe a simpler setup, after you understand how to do it

   * easier to manage the keys / authentication (specifically, if you need to 
revoke permissions for a user you can do it in one place

   * apparently the security can be somewhat better (maybe a result of the 
previous bullet, but I think some other things as well)

   * you can make the transition gradually -- you can keep the "old" public 
key authentication in place (and continue to use it when, where, and if 
needed) while you transition some server(s) and user(s) to certificates.

I thought I'd call your attention to this for your consideration -- perhaps 
with both of us investigating and asking questions as needed, we both might 
make quicker progress.

In any event, have a good day!

Reply to:

Follow-Ups:
- Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)
  - From: Tom Browder <tom.browder@gmail.com>
- Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)
  - From: David Christensen <dpchrist@holgerdanske.com>

References:
- ssh-agent: I want to start using on all my remote hosts
  - From: Tom Browder <tom.browder@gmail.com>

Prev by Date: Re: (cmake) Could NOT find LibSoup: Found unsuitable version "" ...
Next by Date: Apache2 Configuration Problem
Previous by thread: Re: ssh-agent: I want to start using on all my remote hosts
Next by thread: Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)
Index(es):
- Date
- Thread