Garrett: We need better support for SSH host certificates
Garrett: We need better support for SSH host certificates
Posted Mar 27, 2023 16:35 UTC (Mon) by floppus (guest, #137245)In reply to: Garrett: We need better support for SSH host certificates by kokkoro
Parent article: Garrett: We need better support for SSH host certificates
> For example, it would be pretty easy for GitHub to add a one-liner for users to add their CA to known_hosts, and that would be safer than TOFU anyway. Compared to TOFUing individual self-generated host keys, TOFUing a CA is much riskier.
That depends what you mean by "TOFUing a CA". If that means "trusting this CA to issue certificates for any hostname", the way web browsers do, then yes, that's horribly dangerous.
If it means "trusting this CA to issue certificates for the hostname I'm currently connecting to", that doesn't seem any different from "a one-liner for users to add their CA to known_hosts". And for ssh to do that itself, on first use, would be decidedly safer than requiring users to copy and paste a command they don't understand.