If you manage more than a handful of servers, you already know the pain. Every new developer who joins the team needs their public key added to aut...
For further actions, you may consider blocking this person and/or reporting abuse
what is your versions for ssh-keygen and sshd ?
openssh 9.9 on both. the certificate stuff works from 8.x onwards though so version shouldnt matter much unless youre on something really old.
FYI, I had an error and I'm running OpenSSH_9.6p1 Ubuntu-3ubuntu13.15, OpenSSL 3.0.13.
9.6 definitely supports certificates so its not a version issue. ubuntu splits sshd config across /etc/ssh/sshd_config.d/ drop in files and sometimes those override what you put in sshd_config. check if theres anything in there overriding TrustedUserCAKeys. also whats the actual error you get? would help narrow it down.
My issue was even before running the SSH daemon. it was in Step 2: Sign Host Keys. its now fixed. I suggest you use static file system paths for all files this will hep replicate them easily different versions behaves in odd ways and they have different configuration paths. hope this helps.
Great article!
the authorized_keys sprawl is the real problem. certs solve it cleanly but nobody migrates until something actually breaks.
Exactly. The migration incentive problem is real -- certs require upfront investment in a CA workflow, and authorized_keys "works" until it doesn't. I've seen teams finally switch only after an incident where a departed employee's key was still active six months later.
that scenario is basically free CA adoption, just very expensive. the post-incident key audit is what usually sells it - nothing convinces a security team faster than "we have no idea who still has access."
Ha, yeah. "Free CA adoption, just very expensive" is a perfect way to put it. The irony is that the audit itself becomes the business case --once someone has to explain to leadership why a former contractor still had prod access, the CA budget materializes overnight.
exactly - nothing like a "wait, is john still in github?" moment to unlock a pki budget. the audit writes itself.