On Thu, Jul 14, 2022 at 08:55:34AM -0400, rhkramer@gmail.com wrote: > <Intentionally top posting> > > dsr, Thanks for the reply! > > Like I said, I think I went down a rabbit hole, and I wish I had realized that > before I went there. As someone else said, I agree that the certificate way is quite a bit more complex than just distributing public keys. It'll play out its advantages if you have many servers /and/ many users -- the disadvantages are clear: you have to manage your CA (where the root of trust resides), /and/ your servers need regular access to the CRLs (certificate revocation lists) for the case anything gets compromised (of course, you could do whithout, but then, why use certs at all?). An alternative for a more central and orderly key distribution is to put pubkeys in some form of directory service (say, LDAP). In our $COMPANY (sub-100s of servers, sub-50 of IDs) we chose that path. Newer ssh servers can delegate the authorized_keys to a script (i.e. the server doesn't look things up in a file but runs a small program/shell script which is supposed to output something looking like the authorized_keys file). OTOH, if all you want is to learn how this cert stuff works, that's *always* a strong reason to try! Cheers -- t
Attachment:
signature.asc
Description: PGP signature