SSH certificates offer a significantly better experience than traditional public key authentication by eliminating Trust on First Use (TOFU), removing the need to distribute public keys to each server's authorized_keys, and enabling short-lived credentials with built-in expiry. The post walks through setting up an SSH CA using ssh-keygen, signing both user and host keys, configuring servers to trust the CA, and updating clients' known_hosts with a single @cert-authority line. Additional features covered include forced commands, source IP restrictions, principal-based access control, and PTY permission management. A proof-of-concept automation using a Python BottlePy HTTP server and the sshkey-tools library is also demonstrated for automated host key certificate distribution.
Table of contents
SSH key pairsSSH Certification AuthorityAn initial connectionChecklistAutomate host key certificate distribution?Further readingSort: