OpenSSH 6.2 released - thoughts for larger systems

Prior to this official OpenSSH does a great job for small systems, but it does get troublesome to manage it securely as a system grows, as the number of people using it grows, or both together. You either resort to password authentication (because you can centrally manage that) and lose the benefit of public key auth, or you end up maintaining some Heath Robinson scripts to update authorized_keys files everywhere and either way you can't really do multi-factor cleanly. As OpenSSH 6.2 (or backports of these now official patches) lands in more places that problem goes away.

AuthorizedKeysCommand plus AuthenticationMethods offers a future where redundant, SSL-secured LDAP servers maintain the public key list and password hashes for all your users, and you need both to log in. So you have multi-factor, plus you get to enforce password policy (length of password, frequency of change) and you get to easily administrate all this centrally.

And if you want to make your life _really_ easy, get DNSSEC (at least within your own networks) and use the support for DNS-based host key verification, which eliminates the need to maintain known_hosts files or (the reality in too many systems) do blind trust on first usage.