OpenSSH supports the signing of public keys by a certificate authority. This feature is the gateway to a powerful set of access controls limiting access by users, time, principals and hosts. Articles can be found on the topic, here are a few:



Facebook engineering wrote in 2016 about their approach and what it enables: Scalable and secure access with SSH

Hosaka wrote about it in 2020 and makes reference to the above FB post in the article Creating a PKI for OpenSSH.

The key entry point is in the ssh-keygen man page:

CERTIFICATES

     ssh-keygen supports signing of keys to produce certificates that may be used for user or host authentication.  Certificates consist of a public key, some identity information, zero or more principal (user or host) names and a set of options that are signed by a Certification Authority (CA) key.  Clients or servers may then trust only the CA key and verify its signature on a certificate rather than trusting many user/host keys.  Note that OpenSSH certificates are a different, and much simpler, format to the X.509 certificates used in ssl(8).

Some points of interest:

  • Users do not need to pre-seed .ssh/authorized_keys if their pub key is signed by a trusted CA
  • Keys can be revoked. Although the mechanics of this are left to the SA's devices
  • A signed key can be limited in usable scope to specific set of hosts and specific sets of destination users
  • A signed key has a specific usable duration, i.e. it expires. This alone adds a great deal of security and requires interaction with the CA for issuance/renewal creating a point of control.

Some details on how to do this are left out. How to create a secure issuance mechanism for a CA to do its actual work. The FB post alludes to an process that is invoked automatically for a user when the log in to a bastion host, but leaves the details of that out. The key-revocation mechanism is probably dependent on some kind of cron mechanism. How to manage (what gets issued) the who has access to what is out of scope and is likely dependent upon LDAP or other identity/authentication system of control.

These are great starting points on this topic and worth considering if not for the possibilities it offers if not for how to solve the few implementation issues to make it really work.