If you generate short lived certificates via an automated process/service then you don’t really need to manage a revocation list as they will have expired in short order.

But then you can't log in if your box goes offline for any reason.

Hmm. For user certs you can have the service sign them for, say an hour, so long as you can ssh to your server in that time then there’s no need for any other interaction.

Sure you need your signing service to be reasonably available, but that’s easily accomplished.

Maybe I misunderstand?

That works for authn in the happy path: short-lived cert, grab it, connect, done.

Except for everything around that:

* user lifecycle (create/remove/rename accounts)

* authz (who gets sudo, what groups, per-host differences)

* cleanup (what happens when someone leaves)

* visibility (what state is this box actually in right now?)

SSH certs don’t really touch any of that. They answer can this key log in right now, not what should exist on this machine.

So in practice, something else ends up managing users, groups, sudoers, home dirs, etc. Now there are two systems that both have to be correct.

On the availability point: "reasonably available" is doing a lot of work ;)

Even with 1-hour certs:

* new sessions depend on the signer

* fleet-wide issues hit everything at once

* incident response gets awkward if the signer is part of the blast radius

The failure mode shifts from a few boxes don't work to nobody can get in anywhere

The pull model just leans the other way:

* nodes converge to desired state

* access continues even if control plane hiccups

* authn and authz live together on the box

Both models can work - it’s more about which failure mode is tolerable to you.

Well, yes, pick your poison.

But for just getting access to role accounts then I find it a lot nicer than distributing public keys around.

And for everything else, a periodic Ansible :-)

Public keys (for OpenSSH) can be in DNS (VerifyHostKeyDNS) or in, say, LDAP via KnownHostsCommand and AuthorizedKeysCommand.

That sounds like a lot of extra steps. How do I validate the authenticity of a signing request? Should my signing machine be able to challenge the requester? (This means that the CA key is on a machine with network access!!)

Replacing the distribution of a revocation list with short-lived certificates just creates other problems that are not easier to solve. (Also, 1h is bonkers, even letsencrypt doesn't do it)

1h is bonkers for certs in https, but it's not unreasonable for authorized user certs, if your issuance path is available enough.

IMHO, if you're pushing revocation lists at low latency, you could also push authorized keys updates at low latency.

Honestly, we used to replace a lot of pam_ldap and similar sorts of awful solutions. With those, if your LDAP went down even for a heartbeat, you couldn't log in at all.

So I totally agree: if I had to do certificates and didn't have something like Userify, a 1 hour (or even shorter if possible) expiration seems quite worth chasing, especially with suitable highly available configuration. (Of course, TFA doesn't even bother mentioning revocation and expiration, which should give you a clue as to how much fun those are lol)

And for more normal, lower-security requirements or non-HA, 6 or 8 hours or so would probably work and give you plenty of time for even serious system outages before the certs expired.

Not to hard shill or anything (apologies in advance, just skip if you're not interested), but there are two significant security and reliability differences between standard SSH (with or without certificates) and Userify:

1. Userify Cloud updates by default every three minutes, and on-premise Userify Express/Enterprise updates every ten seconds, but it doesn't have to update at all; even if your Userify server goes offline forever, you can still log in because the accounts are standard UNIX accounts (literally created with `useradd`)

2. When accounts are removed, Userify also completely nukes the user account, removes its sudo perms, and totally kill -9 's any tmux/screen/etc sessions (all processes owned by the user are terminated across the entire enterprise within seconds), which is also not something that a certificate expiration would ever do.

Can’t remember the exact quote, but there is something in The Omen II about future wars being fought over food (Thorn corporation being involved in agriculture/fertiliser or something).

Last time that I saw it I wondered if the Ukraine conflict might be about control of the “Breadbasket of Europe” as much as anything.

But of course Thomas Malthus was wrong about everything and we just keep need to growing populations.

It's pretty indicative of the situation that you're unironically trying to say Malthus was right about some things, actually.

Control over European food supplies might have been a minor factor in Putin's decision to invade Ukraine but that was secondary to establishing a greater Russian empire with defensible strategic depth. A lot of Ukraine's wheat exports went to Egypt and they have suffered significant food cost inflation due to the war.

Maybe they are not fans of American citizens being shot in the face?

Which specific incident are you referring to? Not the one where the American citizen tried to run over the ICE agent with her car, right?

You're either not American or are much less in tune with what's happened than you think.

By the way. "Iran is a bad government" and "I don't want an avoidable, illegal hot war with Iran" can coexist.

the usual flipfloppers who support both the Jan 6 riot and the killings of anybody not agreeing with their dear leader

Clearly that one although it is unclear if she really wanted to run him over. That was a sorry event on all sides from the 'professional protesters' who think they can just interfere with police operations without running any risk themselves - the woman's partner screamed 'why did you use real bullets' - to the policeman who, having been dragged along by an illegal several weeks ago was clearly hair-triggered when it comes to vehicular assault.

The lesson to be learned here is that a) protesters should realise that they are bound by the same laws as all others no matter how virtuous they consider their causes to be and that interfering with police operations comes with real risks and b) the combination of such actions by protesters with the experiences police officers have had during encounters with their targets can make them react in ways which it can be assumed they'd normally not have done. Shooting that woman did not reduce the risk for the police officer, at all. It actually increased the risk of damage to him or others because wounded or dead people behind the wheel can turn vehicles into unguided projectiles.

A balanced statement. But unwelcome in these unreasonable times where you're supposed to pick one crowd or be treated like an enemy.

“I have had it with these anti-matter protons on this anti-matter truck!”

Or something.

If it’s not five nines then I’m not interested.

This sounds like a job for <ta-ta-ta-taaaa> contrib-directory-man!

So your solution to “I’d be interested in having a small ready-made tool and try this out” is “spend a bunch of time to get acquainted with the code base of something you may not even like, create a separate tool, and submit it without even knowing if it’ll be accepted”?

That’s like having someone looking at a display of ice cream in a supermarket saying “I’d be interested in trying a few samples before committing” and then getting a reply like “here are the recipes for all the ice creams, you can try to make them at home and taste them for yourself”.

I know I could theoretically spend my weekend working on a CLI tool for this or making ice cream. Every developer knows that, there’s no reason to point that out except snark. But you know who might do it even faster and better and perhaps even enjoy it? The author.

Look, the maintainer owes me nothing. I owe them nothing. This project has been shared to HN by the author and I’m making a simple, sensible, and sensical suggestion for something which I would like to see and believe would be an improvement overall, and I explained why. The author is free to agree or disagree, reply or ignore. Every one of those options is fine.

You’re not wrong, but you probably could have built the thing with Claude in the time it took you to write this comment.

You could likely have written that tool in the time that it took to write that comment.

If it would be useful to you, and to others, then why not?

And if it is not accepted then publish it yourself. Stop your whining.

I have explained why up the thread. I gave three reasons. Why are you feeling the need to be unnecessarily combative to a stranger on the internet? The author already said they think it’s a good idea and that they’ll work on it over the weekend, you’re being rude over nothing.

Someone gave you a constructive suggestion.

> (which I don’t enjoy) > (which I avoid) > (which I don’t want)

You are quite the negative Nelly.

> The author already said they think it’s a good idea and that they’ll work on it over the weekend

Did you even say “thank you”?

Am I talking to the secret HN account of JD Vance right now?

I upvoted. Comments saying just thank you aren’t the norm for HN. No need to furiously send multiple replies to the same comment, either. There’s a link to the guidelines at the bottom if you need a refresher.

Source?

American propaganda.

Genuine question - was your fair consideration prior to or after J6?

Both.

Interesting

As I recall that changed the size of the (vector graphic) icons in the window.

Though it has been twenty-odd years since I last used an SGI box so open to correction!

Yes, it was essentially a "zoom" wheel.

Here in the UK the leader of the opposition frequently refers to herself as an engineer.

She was a software engineer. LOL.

(I speak as someone with a degree in Computer Science and Software “Engineering”, and an inglorious past as a Chemical Engineering student)

UK Conservative Party leader Kemi Badenoch has both an engineering degree (computer systems engineering) and a law degree. Best of both worlds?

Touché!