[Cryptography] Why aren’t we using SSH for everything?

Theodore Ts'o tytso at mit.edu
Sun Jan 4 14:36:42 EST 2015

On Sat, Jan 03, 2015 at 10:14:38PM -0800, Tony Arcieri wrote:
> > No one forces users to blindly trust a remote host key on first
> > encountering it, that's why there are fingerprints and people should
> > validate those - if people are stupid and don't validate them, well then
> > you can't help such folks.
> Do you actually verify key fingerprints, and if so, how?

So I don't actually verify key _fingerprints_, but....

ssh-keygen -h -s ~/.ssh/cert_signer -I thunk.org -V +52w -n thunk,thunk.org -z 8 ~/.ssh/host-keys/thunk.pub

And in the sshd_config file:

HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

Works quite nicely, since I only have to install a single
~/.ssh/known_hosts_cert file in each of my laptops/desktop/ChromeOS

						- Ted

More information about the cryptography mailing list