Exactly. This is really useful in larger organizations where you may want more c... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		lokar 35 days ago \| parent \| context \| favorite \| on: SSH certificates: the better SSH experience Exactly. This is really useful in larger organizations where you may want more complex rules on access. For example, you can easily build "break glass" or 2nd party approved access on demand. You can put whatever logic you need in a CA front-end. You can also make all the certs short-lived (and only store them in ram).

TZubiri 35 days ago [–]

The way I've been doing that is with Shamir Secret Sharing and encrypting keys until glass-breaking is necessary.

lokar 35 days ago | [–]

generating tons of keys? or just broad keys?

What I've done is generate a cert for the host(s) the user needs, for the time-span they need (subject to authorization logic).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact