Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yeah but if you get a new device, you have to go add its pubkey to every server you ever use. I wish there were an easier way, otherwise it's understandable that people copy privkeys.


There is an easier way: Create a SSH CA, add that to your authorized_keys everywhere, use it to sign the individual public keys.


Yep that's what I do! I have two ssh-ca's stored on two Yubikeys. And both are trusted by my servers.

If I lose one I can still sign new certs with the other.

https://github.com/arianvp/nixos-stuff/blob/master/modules/s...


That's good but more complicated, and not everything supports it. Like on GitHub, SSH CA requires subscribing to their enterprise service.

Also idk if you can store the root or the resulting signed key in the enclave the way this article says.


But now you need to worry about revocation or at least key lifetimes.


I would argue that doing both of those is still less work than maintaining authorized_keys in many places.


Yes, also idk if the other way works with Secure Enclave


oops replied to wrong comment


> if you get a new device, you have to go add its pubkey to every server you ever use

It’s not too bad, if the number of servers is not too high.

I have different client pub keys on my phone, multiple laptops and desktop computers and manage my authorized keys to be able to ssh into my servers from the devices, as well as from one laptop to another or from my phone to one of the laptops, etc.

Because I already have several client devices I don’t really need any backup ssh keys. The fact that each device has a different key means that if one laptop breaks or my phone is stolen, I can still ssh into everything from one of the remaining devices and remove the pub key of the broken or stolen device from authorized keys and generate new keys on new devices and then using one of the existing devices to add the pub key of the new device to the authorized keys of the servers and other devices.

For me it’s manageable to do it manually. But if you have very many servers you’d probably want to use a configuration management tool like Chef, Ansible, Puppet or Saltstack. Presumably if you have a very high number of servers you’d already be using a configuration management tool like one of those for other configs and setup anyways.


There is an easier way, it's called TLS certificates, it's just that SSH decided not to use it for some reason.

Other systems of this nature have figured out long ago that you should be able to have one personal certificate (stored securely in an airgapped environment), from which you'd generate leaf certificates for your devices every year.


SSH CA is what you’re looking for. It’s a thing apparently (but I haven’t tried it yet).


ssh has supported signed certs for literal years


or FreeIPA?


If you’re operating at the scale this is too cumbersome to do manually surely you already have a configuration management system in place to automate this no?


I have keys tied to several random things, including home servers, GitHub, and AWS. Wouldn't call this scale exactly, but when I got a new laptop, it was way easier to just copy .ssh onto it rather than hunting everything down.


> I wish there were an easier way,

For SSH there is.

Its called SSH certificates. ;)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: