SSH Keys Don't Scale. SSH Certificates Do

It&#x27;s just an ad for their SSH cert service...<p>I feel like for SSH certs to expand beyond large companies, there&#x27;s the need for an open-source service which does the issuing of short-lived certs after a user authenticates. I know smallstep, but their offer feels open-core&#x2F;freemium.

I would love to ask you lovely HN people, assuming you actually use SSH for work:<p>- does you organization use ssh certs?<p>- how big is the org? (&quot;I know most IT&quot;, or &quot;it&#x27;s impossible to know the whole IT&quot;?)<p>- were you the ones that proposed and implemented that change? :)<p>SSH certs make so much sense and I know about them for a long time. Yet never implemented that approach - we had at most 2 people that were actually interested. And now for me everything is http API&#x27;s and oauth, so I don&#x27;t need it any more. I wonder what are reasons orgs don&#x27;t use ssh certs by default.

The content of the article is OpenSSH-centric. Especially on Windows, this needs to include the PuTTY pageant.exe.<p>I am on a corporate desktop where the agent service is not running:<p><pre><code> C:\&gt;ssh-agent unable to start ssh-agent service, error :1058 </code></pre> Because of this, I use pageant.exe for the Microsoft OpenSSH binaries:<p><a href="https:&#x2F;&#x2F;the.earth.li&#x2F;~sgtatham&#x2F;putty&#x2F;0.80&#x2F;htmldoc&#x2F;Chapter9.html#pageant-cmdline-openssh" rel="nofollow">https:&#x2F;&#x2F;the.earth.li&#x2F;~sgtatham&#x2F;putty&#x2F;0.80&#x2F;htmldoc&#x2F;Chapter9.h...</a><p>I do see that pageant.exe supports certificates, but the discussion is quite brief.

I was curious if Infisical would eventually turn into Vault (i.e., move beyond pure secret management), and this appears to be the first step in that direction. Granted, the onboarding&#x2F;usage steps in the article are dramatically simplified compared to Vault.<p>We used to use a method that was identical to this using Vault. Even wrote our own mini-CLI with a similar usage pattern. However, nowadays, we rely on Tailscale SSH (with a break-glass key) and have never really felt the need for an alternative.

If you need easy distributed key management, modern SSH makes this fairly straightforward with some config values. It supports executing a program to get the SSH key at login time, dynamically. This way you can still maintain local certificates for fallback, and you can plug into anything. For example in the past I wrote a simple golang based app that loaded all of the SSH pubkeys from my organizations github, for users in a specific team.

I&#x27;m actually really bad at all this networking certificates, and have a question for the experts. If a user have to sign a short-lived CA and then present that certificate to the host he wishes to connect with, isn&#x27;t that basically allowing CA emitters to track the user&#x27;s activity for this host ?<p>This feels like replacing ssh for shh-with-tracking. Am i missing something ?

Why do people upvote this sort of lazy and shitty content marketing?

This seems kind of like teleport without the logging and remote infrastructure.

github uses ssh keys. I would wager github&#x27;s auth volume is orders of magnitude bigger than anything infiscale has ever done or will ever do.<p>therefore ssh keys do in fact scale.

... or use soemthing like FreeIPA