
How to Harden SSH with Identities and Certificates (2014) - gk1
https://ef.gy/hardening-ssh
======
xiaomai
I run a fleet of thousands of business devices running ssh. I used to have ssh
configured to just ignore HostKey warnings but that always made me a little
uneasy. Setting up an ssh CA and signing host keys was just a one-night
project and it has made working with devices much more convenient and safe.

~~~
aberoham
Another really easy way to do this is to simply augment or replace your
openssh daemon with Teleport. We just added a feature to master that handles
CA rotation automatically for an entire fleet. Check it out on GitHub
[https://github.com/gravitational/teleport](https://github.com/gravitational/teleport)

~~~
erric
A vote here for Teleport. Anyone doing any large scale management of SSH
should take a good look at it.

------
AndyMcConachie
A user might also want to look into SSSHFP DNS records as an alternative to
setting up an SSH CA.

[https://unix.stackexchange.com/questions/121880/how-do-i-
gen...](https://unix.stackexchange.com/questions/121880/how-do-i-generate-
sshfp-records)

