If you’re not using SSH certificates you’re doing SSH wrong (2019)

Rant engaged. As a person who feels responsible for ensuring what I build is secure, the security space feels inscrutably defeating. Is there a dummies guide, MOOC, cert, or other instructional material to better get a handle on all these things?<p>SSH keys make sense. But certificates? Is this OIDC, SAML, what? Is it unreasonable to request better and deeper &quot;how to do {new security thing}&quot; when PKI is a new acronym to someone? Where can I point my data science managers so they can understand the need and how to implement measures to have security on PII-laden dashboards? As so on.

I feel that trying to make SSH keys short-lived is becoming more painful each year because there&#x27;s an increase of tools that use SSH keys for purposes other than SSH logins. For example, age [1] encrypts files with SSH keys, agenix [2] does secrets management with it, Git can now sign commits with it [3], and even ssh-keygen can now sign arbitrary data [4]. All of these become useless the moment you start using short-lived keys.<p>[1]: <a href="https:&#x2F;&#x2F;github.com&#x2F;FiloSottile&#x2F;age" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;FiloSottile&#x2F;age</a><p>[2]: <a href="https:&#x2F;&#x2F;github.com&#x2F;ryantm&#x2F;agenix" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ryantm&#x2F;agenix</a><p>[3]: <a href="https:&#x2F;&#x2F;calebhearth.com&#x2F;sign-git-with-ssh" rel="nofollow">https:&#x2F;&#x2F;calebhearth.com&#x2F;sign-git-with-ssh</a><p>[4]: <a href="https:&#x2F;&#x2F;www.man7.org&#x2F;linux&#x2F;man-pages&#x2F;man1&#x2F;ssh-keygen.1.html" rel="nofollow">https:&#x2F;&#x2F;www.man7.org&#x2F;linux&#x2F;man-pages&#x2F;man1&#x2F;ssh-keygen.1.html</a>

This article was very illuminating. And, I wish it was written like this:<p><pre><code> To really secure your SSH server, do these three things: 1. Setup a trusted authority 2. Use ssh certificates 3. With ssh certs, you can easily add MFA for logins expire until you reauth. Now that we&#x27;ve established this, here are the gory details. Lorem ipsum, lorem ipsum, lorem ipsum. </code></pre> It&#x27;s a great narrative, but I wish I knew the big payout in advance.

Meh, you&#x27;re not <i>wrong</i> for skipping SSH certs. They&#x27;re mature security, but not mature enough for everyone. And like everything else, they break, predictably and unpredictably. If you&#x27;re not ready for someone to emergency access their way into prod to fix a broken SSH issue on Christmas morning, you&#x27;re not ready for SSH certs. Maintenance will get you, one way or another..

&gt; This makes it operationally challenging to reuse host names. If prod01.example.com has a hardware failure, and it’s replaced with a new host using the same name, host key verification failures will ensue.<p>A new machine should just have a new name. If one really wants to pretend that it&#x27;s the old one, they&#x27;d better really copy it, including the keys. But even skipping that, sorting this out doesn&#x27;t seem like a big deal (at least at a small scale; I suspect the article makes more sense in some scenarios than in others).<p>&gt; Curiously, OpenSSH chooses to soft-fail with an easily bypassed prompt when the key isn’t known (TOFU), but hard-fails with a much scarier and harder to bypass error when there’s a mismatch.<p>Seems to me like a sensible behaviour for TOFU, not sure what&#x27;s curious about it. Sounds like it implies that an unknown key is at least as bad as a different-than-known key, but that sounds wrong in context of TOFU.<p>&gt; Once the user completes SSO, a bearer token (e.g., an OIDC identity token) is returned to the login utility. The utility generates a new key pair and requests a signed certificate from the CA, using the bearer token to authenticate and authorize the certificate request.<p>So the weakest point will likely be the SSO and the related infrastructure, instead of SSH and actual keys, and you&#x27;ll probably depend on third-party services and&#x2F;or custom&#x2F;uncommon self-hosted infrastructure. Likely with a SPOF too. Doesn&#x27;t sound good in general.<p>It probably does make sense in some organizations, but this particular setup doesn&#x27;t seem to apply to all SSH uses, and to justify the title.

It depends on the scale. If a company has a handfull of hosts I&#x27;d argue that deploying the full AAA and PKI systems to back cert auth is doing it wrong.<p>Traditional ssh-key auth is simple and reliable, it&#x27;s not until you have a large, complex and diverse user base that you need something more. That&#x27;s why the huge fang sites use it. Every org doesn&#x27;t need to mimic fang.

I still don&#x27;t care about any of this nonsense for my personal stuff when I can avoid it. Passwords all day for me. 0 security incidents in my lifetime.<p>Sucks that Github and some other things force SSH keys which are just passwords except always saved to your disk so that anyone who steals your laptop gets access.<p>It adds insult to injury when you try to capitulate to this malarkey, generate a key in PuTTy&#x27;s key generator, then Github whines that the default setting isn&#x27;t overkill enough and you have to make a whole NEW key with some other setting. I miss the good old days.

The SSH servers that I&#x27;m familiar with are spun up with a host cert, so all of the FUD in this article about connecting to an unknown host is a non-issue. Check that the host cert matches the one you expect once, and the tooling makes sure to notify you if it changes.<p>As far as provisioning, maintaining a secure CA signing practice is a nightmare. It&#x27;s K8S level of self-inflicted pain for a startup. If you&#x27;re running at a larger scale and can dedicate a team to it, fine. If you&#x27;re a dozen people trying to launch, getting the devops guy to run `ssh-copy-id` is not the challenge that this article makes it out to be. Nor is the slightly more automated Terraform script that installs and uninstalls authorized keys from servers.

So now simple and reliable SSH keys must now be replaced by a far more complex security architecture with a lot of interworking parts and a full-blown PKI and certificate authority, and the opportunity for any of the nodes to DoS the CA and prevent me from logging in.<p>I guess it&#x27;s time to toss out my local (self-hosted) Userify setup that has been reliably working for years, where I can just instantly update my keys across all servers, and still log in even if some bad guys start DDoS&#x27;ing my Userify host, and just switch over to certs.<p>Oh, wait, now I see. This is a sales pitch for their web-based SSO app. If you don&#x27;t use it, you&#x27;re &quot;doing SSH wrong&quot;. Good to know.

As long as it is not as easy as let’s encrypt, it won’t take off.

What seems to be missing from this is how I assign permissions to individual hosts. When I&#x27;m using public keys, I do so by only adding the user&#x27;s public key to the hosts I want them to access. It seems the way that certificates were presented that adding a user implicitly gives them access to all hosts using the same CA. I&#x27;m sure there&#x27;s a solution to this problem, but does anyone have any pointers?<p>For example, I want hostA and hostB to use the same CA. But some users should only have access to hostA but others should only have access to hostB. Others may have access to both.

SSH certificates make sense. But can you use hardware backed ones like the OpenPGP applet on yubikey with this?<p>I currently use this method to store my SSH keys safely. But I don&#x27;t know how this would work with certificates. If I have to store them in the computer instead of a hardware token it&#x27;s a huge step back in security.<p>By the way what do home users use to set up a PKI? Scripting everything with OpenSSL is but very nice. It would be cool if there were an open source PKI platform ideally even with IDP built in. With a nice web interface and easy to install with docker. Never found one though.

The &#x27;ideal ssh flow&#x27; involves a program that I think the author has written and a website login. Do these certificates require an existing system running single sign on or similar to hand out access to other machines, in single point of failure fashion?

I&#x27;m not doing anything wrong.<p>My sshd is behind spiped + logging in requires me to physically tap my yubikey.

Isn’t this the process that Teleport streamlines?

The article does a pretty good job explaining advantages of certificates. It overlooks the existence of solutions to some of the individual problems it mentions with keys, though. Tools like sssd exist, with which a way for the end user to keep their public key updated in a directory takes care of key distribution and at the same time limits who can use sudo, all without changing any files per-user on the server.

&gt; you’re doing SSH wrong<p>I understand the theoretical superiority to keys, but do we have some data per practically how many times key security actually failed someone?

Aside from being a pain to set up, what’s wrong with using GSSAPI &#x2F; Kerberos? (within an org)

I wish revocation was covered as well. The article mentions this issue in SSH:<p>&gt; Keys are trusted permanently, so mistakes are fail-open.<p>But you can make the same mistake using certificates, by issuing a certificate with a large expiration date. AFAIR you _can_ revoke valid certs, but that involves making changes to every box running ssh, much like when revoking a public key.

Previous discussion from 2019: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=20955465" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=20955465</a>

SSH certificates are great in theory, but the whole certificate management, ad-hoc issuance, and revocation require boatloads of infrastructure. If you do it right, certificates will be signed as needed and have a short validity period, say half an hour or something. That means you need an automated signing application, or a very cheap full-time certificate manager.<p>I’ve actually started working on such an app recently, including a web portal, CA rotation, automated configuration distribution, etc. Still far from usable, but if you’re interested in contributing: <a href="https:&#x2F;&#x2F;github.com&#x2F;Radiergummi&#x2F;fides" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Radiergummi&#x2F;fides</a>

SSH certificates are useful in large environments when scaling, automatic onboarding and offboarding are important, but IMO, small teams can (and should) continue using authorized key files as they have for years. They don&#x27;t really need these features.

&gt; What you’re supposed to do is verify the key fingerprint out-of-band by asking an administrator or consulting a database or something. But no one does that.<p>Actually they do where I work, pretty much every time, and I didn&#x27;t ask them to. Eyebrows will raise even higher if I forget to notify everyone I replaced a server at a domain causing a new signature (resulting in the scary &quot;possible MITM attack&quot; message). This is a good thing, but I should probably make it more efficient by publishing the fingerprints.<p>Although the article does point out this specific disadvantage of domain reuse with known_hosts. I can see why this solution could make things easier at larger scales.

Agreed--SSH certificate authorities (and principals) are powerful things that can be used to manage SSH access at scale. My workplace is a large enterprise that uses our own CA for getting access to systems--the keys it issues are good for 8 hours, then we have to grab a new key (using an internal utility).<p>For anyone who is interested, I put together a little playground which can be spun up in Docker that allows you to play around with and learn how SSH CAs and Principals work:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;dmuth&#x2F;ssh-principal-and-ca-playground" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dmuth&#x2F;ssh-principal-and-ca-playground</a>

I would love this to work, as it indeed fixes several issues addressed in the article.<p>However, I don&#x27;t think openssh-server supports OCSP natively, so while you might be doing SSH right, you&#x27;re doing certificates wrong.

I have built a small signing service that works by a user SSHing in, performing LDAP (password) authentication and 2FA with duo, then injecting a time-limited certificate signed by Hashicorp Vault back to their user agent (although it could be modified to remove the Vault requirement). The UX is very simple (SSH to this address once per day), but the backend is complicated, so if there is any demand for me to put this on Github I am happy to do so.

If this is true then why does ssh not get set up this way by default?<p>Honestly what I would prefer is a better (and faster) version of monkeysphere [1]. That was honestly the most natural-feeling solution to SSH security.<p>(1) <a href="https:&#x2F;&#x2F;www.systutorials.com&#x2F;docs&#x2F;linux&#x2F;man&#x2F;1-monkeysphere&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.systutorials.com&#x2F;docs&#x2F;linux&#x2F;man&#x2F;1-monkeysphere&#x2F;</a>

Yes, SSH certificates are the way to go and pretty easy to set up. But what these articles fail to address is the user management aspect.<p>For the SSH certificate to be accepted, the unix user must first be present on the system. As far as I can understand, FreeIPA(or similar LDAP systems) cannot be used in conjunction with SSH certs. Whereas SSH keys are supported by these systems.<p>Can anyone provide any insight&#x2F;experience with this?

I disagree.<p>SSH keys seem great at first, 4KiB ~ 8 KiB public&#x2F;private key-pairs are tremendously more secure than something like an 10-character password. The math checks out at an academic level, but the implementation has a glaring flaw. One cannot easily ensure private keys are themselves protected by a 10-character password unlock. Put another way, people using private keys NOT protected by a secret pass&#x2F;phrase are super vulnerable to compromise. For example, physically take the laptop that contains the private key, and BOOM!<p>That&#x27;s the jist. Private keys can be setup with passwords, but the person in control of the private key can change their key&#x27;s pass&#x2F;phrase at anytime after, so straight-forward key escrow strategies don&#x27;t work. Inspecting the public key does not indicate the associated private key has any protection, and that&#x27;s good insofar as one key not leaking information about its&#x27; counterpart.

Stuff like this is really cool. But the problem is that certain clients (as in clients that pay your bills) can&#x27;t even get public keys to work and we end up allowing password logins. So I don&#x27;t know how I could make this work in the real world.<p>That&#x27;s where security ends, when &#x27;it just has to work&#x27; because &#x27;they&#x27;re the ones paying&#x2F;in charge&#x27;.

You can always host your own SSH CA pubkey server.<p>It is called an “AuthorizedKeysCommand” in `&#x2F;etc&#x2F;ssh&#x2F;sshd_config`.<p><a href="https:&#x2F;&#x2F;jpmens.net&#x2F;2019&#x2F;03&#x2F;02&#x2F;sshd-and-authorizedkeyscommand&#x2F;" rel="nofollow">https:&#x2F;&#x2F;jpmens.net&#x2F;2019&#x2F;03&#x2F;02&#x2F;sshd-and-authorizedkeyscommand...</a>

The comparison to public-key authentication is wrong. Introducing cert authentication brings a third party: public key infrastructure (which isn&#x27;t addressed at all and is described as some type of security panacea).<p>The more apt comparison should be made to other authentication technologies like, in particular, kerberos.

I love ssh certificates for access and indeed we&#x27;re using this for accessing our production network using a few small pieces of home-grown infrastructure.<p>However, there&#x27;s one big issue nobody is talking about: There is zero support for certificate authentication in any SSH clients for iOS and most people who have network access here also have iOS devices.<p>And even if there were support, just supporting the certificates alone is not enough - there would need to be some automatable way of getting a new certificate into an app as the whole idea of the certificates is that they are very short-lived (days or even hours if possible)

This is definitely true... and a lot of people are doing it wrong.<p>This is one of those things that drives me nuts as an experienced&#x2F;old developer, seeing people type passwords for ssh&#x2F;git&#x2F;whatever several times per day. Sometimes there are tasks that require copying &#x2F; checking some file on N servers, and these people seem to think that cannot be done in a shell script because the password needs to be entered interactively.<p>Then there&#x27;s ssh port forwarding, X11 forwarding, etc... but its amazing how many people use ssh for years without so much as glancing at the man page.

Keybase had an elegant solution I use <a href="https:&#x2F;&#x2F;keybase.io&#x2F;blog&#x2F;keybase-ssh-ca" rel="nofollow">https:&#x2F;&#x2F;keybase.io&#x2F;blog&#x2F;keybase-ssh-ca</a>

AFAIK unless something SSH passwords don&#x27;t use any kind of PAKE or zero-knowledge. It just straight up sends it to the server after authenticating, as the password box on a website login page would.<p>Really missed a great opportunity to add perhaps even more security than the server cert can(Because of how many users override it).<p>Come to think of it, website logins shouldn&#x27;t exist either, that&#x27;s way too common and I don&#x27;t see why there&#x27;s no PAKE based http basic auth feature.

Too bad you can&#x27;t do that with dropbear

Anyone using GitHub as a public key repository? I found it very convenient to set up a cron job that pulls <a href="https:&#x2F;&#x2F;github.com&#x2F;USERNAME.keys" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;USERNAME.keys</a> into authorized_keys and SSH from any client that has GitHub access.

Another headline that completely ignores the concept of threat modeling. If you&#x27;re preaching about what&#x27;s &quot;right&quot; and &quot;wrong&quot; regarding security without considering the threat model, you&#x27;re only doing harm to your readers.

Great article. All of your internal authentication should be using certificates. Web auth, Wifi, VPN, SSH<p>In the late 90s we came close to having this for the public internet as well but it never caught on. We paid the price with endless breaches and unmanageable credentials.

I am only disappointed that SSH certificate didn’t leverage OpenSSL for their powerful capability.<p>I guess that’s the small price to pay for speed of development without going through the international committee of ASN.1

dumb question but .... isn&#x27;t it a problem that private ssh keys are stored in ~&#x2F;.ssh and that any random app, npm dependency, build script, etc could copy them across the network?

Anyone have experience with using SSHFP records to avoid the so-called anti pattern of trust on first use?

If you trust a third party you doing ssh wrong :)

Who really wants to run a CA though?

Cool, how do I set up a CA?

&gt; Users are exposed to key material and encouraged to reuse keys across devices. Keys are trusted permanently, so mistakes are fail-open.<p>What? This just sounds like you&#x27;re doing it all wrong then blaming the tools.<p>Maybe I&#x27;m just thinking about it from my POV as a mainly hobbyist user of SSH, but I rotate my keys (not as frequently as I should, but I do), and I remove old ones from .authorized_keys files and I use different keypairs for different servers sometimes too. I never copy keys to other devices - I ssh-keygen on every device, and add my pub key to the authorized_keys file manually.<p>It isn&#x27;t even &quot;hard&quot; to do it this way. Sure, it doesn&#x27;t &quot;scale&quot; for big corps - but I don&#x27;t need it to scale, so I&#x27;m not &quot;doing SSH wrong&quot; by not using certificates.

&gt; brew install step<p>The audacity of mac users who think everyone uses a mac.

There are cases where if you leave SSH enabled then you are doing it wrong. If you only need SSH to do a few things once a while, you should just turn it off, and only turn it on when needed. In these situations, I feel it’s OK to just use password to login.

Ughh. Go read up on ACME (Let&#x27;s Encrypt). Unless you run your own Certificate Authority root, or configure things very carefully, using TLS certificates grants host level access to your DNS provider, and every organization that reliably routes external traffic to your host.<p>To what end? The threat model rekeying tries to protect against involves compromised authenticated client machines.<p>Once you have those, the attacker has shell on the server, and it&#x27;s game over. There are these things called &quot;advanced persistent threats&quot; that have been in the news a lot already.

I&#x27;m tempted to write a competing article: &quot;If you&#x27;re using SSH in 2022, you&#x27;re doing it wrong&quot;<p>There&#x27;s no need to open port 22 if tools like AWS Session Manager (and GCP&#x27;s equivalent) are available to you.