I feel like for SSH certs to expand beyond large companies, there's the need for an open-source service which does the issuing of short-lived certs after a user authenticates.
I know smallstep, but their offer feels open-core/freemium.
Hey totally agree with the open source aspect here in order for SSH certificates to reach broader adoption (coupled with seamless admin and user experience).
Infisical SSH is actually an extension of the Infisical platform which is open source and used by a ton of companies for secrets management.
I would love to ask you lovely HN people, assuming you actually use SSH for work:
- does you organization use ssh certs?
- how big is the org? ("I know most IT", or "it's impossible to know the whole IT"?)
- were you the ones that proposed and implemented that change? :)
SSH certs make so much sense and I know about them for a long time. Yet never implemented that approach - we had at most 2 people that were actually interested. And now for me everything is http API's and oauth, so I don't need it any more. I wonder what are reasons orgs don't use ssh certs by default.
We implemented it at a previous company, but it was a managed services provider that had access to customer VM's or other infrastructure. It was part of the soc2 process to "approve, audit, and then grant timed access" to various infra.
Everywhere else I worked just used ssh keys, either deployed via ansible or via LDAP because it's so much more simple unless there's a high need for an audit trail with proof of approval. SSH keys scale perfectly fine otherwise.
Unless I'm desperate, I'll never work for a managed services company again, so hopefully I'll never need to bother.
I'd say SSH certificate-based authentication is implemented widely at big tech and larger enterprises (tons of sources on it) but hasn't received the same mainstream adoption as SSH public key authentication because the administrative experience to set it up can be quite cumbersome despite how much benefit it provides. Put differently, there's always been a tradeoff in terms of configuration effort and benefits reaped.
With Infisical SSH, we've tried to abstract away as much complexity as possible and give folks the ability to implement a SSH certificate-based access scheme across infrastructure with minimal administrative overhead.
I was curious if Infisical would eventually turn into Vault (i.e., move beyond pure secret management), and this appears to be the first step in that direction. Granted, the onboarding/usage steps in the article are dramatically simplified compared to Vault.
We used to use a method that was identical to this using Vault. Even wrote our own mini-CLI with a similar usage pattern. However, nowadays, we rely on Tailscale SSH (with a break-glass key) and have never really felt the need for an alternative.
You're right in noticing that we're moving beyond secrets management into adjacent related verticals as well, specifically branching out more into the larger identity and access management space; secrets management continues to be the bread and butter of Infisical but the way we see it, it would be super nice in the long run to have one unified control plane over all related aspects spanning secrets management to certificate management, SSH access, and more.
One of the core product philosophies of Infisical has always been to abstract away complexity as much as possible while still giving users the ability to customize the tool.
Whereas Vault might, for example, have you explicitly create SSH certificate authorities and require 12+ steps to configure a working SSH certificate-based authentication model, Infisical SSH makes it so you only have to care about users and hosts that is who has access to what with something like 4 steps and if you want more power out of Infisical then that is always possible to build atop.
If you need easy distributed key management, modern SSH makes this fairly straightforward with some config values. It supports executing a program to get the SSH key at login time, dynamically. This way you can still maintain local certificates for fallback, and you can plug into anything. For example in the past I wrote a simple golang based app that loaded all of the SSH pubkeys from my organizations github, for users in a specific team.
I'm actually really bad at all this networking certificates, and have a question for the experts. If a user have to sign a short-lived CA and then present that certificate to the host he wishes to connect with, isn't that basically allowing CA emitters to track the user's activity for this host ?
This feels like replacing ssh for shh-with-tracking. Am i missing something ?
It's probably a typo, but a user rather uses short lived Cert, not a CA. CA (certificate authority) issues a Cert. CA doesn't have to be (and likely isn't) in users full control.
Hosts answering to connections using that cert don't have to send anything back to CA. They just need rules "I trust this CA. If a user has a cert from it, and this precise combination of fields match, I consider this user's response trustworthy".
Definitely some overlap there for sure but with different architecture — this is also an extension of the broader Infisical platform that a lot of companies use for secrets management.
Readit News
I feel like for SSH certs to expand beyond large companies, there's the need for an open-source service which does the issuing of short-lived certs after a user authenticates. I know smallstep, but their offer feels open-core/freemium.
Infisical SSH is actually an extension of the Infisical platform which is open source and used by a ton of companies for secrets management.
- does you organization use ssh certs?
- how big is the org? ("I know most IT", or "it's impossible to know the whole IT"?)
- were you the ones that proposed and implemented that change? :)
SSH certs make so much sense and I know about them for a long time. Yet never implemented that approach - we had at most 2 people that were actually interested. And now for me everything is http API's and oauth, so I don't need it any more. I wonder what are reasons orgs don't use ssh certs by default.
Everywhere else I worked just used ssh keys, either deployed via ansible or via LDAP because it's so much more simple unless there's a high need for an audit trail with proof of approval. SSH keys scale perfectly fine otherwise.
Unless I'm desperate, I'll never work for a managed services company again, so hopefully I'll never need to bother.
I'd say SSH certificate-based authentication is implemented widely at big tech and larger enterprises (tons of sources on it) but hasn't received the same mainstream adoption as SSH public key authentication because the administrative experience to set it up can be quite cumbersome despite how much benefit it provides. Put differently, there's always been a tradeoff in terms of configuration effort and benefits reaped.
With Infisical SSH, we've tried to abstract away as much complexity as possible and give folks the ability to implement a SSH certificate-based access scheme across infrastructure with minimal administrative overhead.
But since apparently ssh is now obsolete (as I was told here a week ago or so) maybe it makes no difference.
Like NFS.
Oh, wait.
I am on a corporate desktop where the agent service is not running:
Because of this, I use pageant.exe for the Microsoft OpenSSH binaries:https://the.earth.li/~sgtatham/putty/0.80/htmldoc/Chapter9.h...
I do see that pageant.exe supports certificates, but the discussion is quite brief.
We used to use a method that was identical to this using Vault. Even wrote our own mini-CLI with a similar usage pattern. However, nowadays, we rely on Tailscale SSH (with a break-glass key) and have never really felt the need for an alternative.
You're right in noticing that we're moving beyond secrets management into adjacent related verticals as well, specifically branching out more into the larger identity and access management space; secrets management continues to be the bread and butter of Infisical but the way we see it, it would be super nice in the long run to have one unified control plane over all related aspects spanning secrets management to certificate management, SSH access, and more.
One of the core product philosophies of Infisical has always been to abstract away complexity as much as possible while still giving users the ability to customize the tool.
Whereas Vault might, for example, have you explicitly create SSH certificate authorities and require 12+ steps to configure a working SSH certificate-based authentication model, Infisical SSH makes it so you only have to care about users and hosts that is who has access to what with something like 4 steps and if you want more power out of Infisical then that is always possible to build atop.
Good to know regarding Tailscale SSH!
This feels like replacing ssh for shh-with-tracking. Am i missing something ?
Hosts answering to connections using that cert don't have to send anything back to CA. They just need rules "I trust this CA. If a user has a cert from it, and this precise combination of fields match, I consider this user's response trustworthy".