Benefit of signed SSH user certificates?

It's useful so you can grant access to any key signed by that particular CA certificate. For example, you have a server which trusts a CA. You can now allow access to any user by signing their key using the CA without having to add their key to the server itself, which might be impossible (let's say it's an embedded device with read-only storage so any addition to .ssh/authorized_keys will be lost on next reboot).


Using signed ssh-keys for users has several benefits:

  • The user's public key is not distributed to the servers as ~/.ssh/authorized_keys, that saves a lot of pain.
  • ~/.ssh/authorized_keys can not be mis-used by adding other identities to it.
  • Access control using public keys can be immutable.
  • The signed key can have a time limit (lease)
  • The signed key can be assigned a principal (admin account) no need to create extra users, just log sshd VERBOSE for fingerprint
  • The signature of the key can enforce restrictions of the options that man (5) authorized_keys lists.
  • Signed keys have a revoke method.