If you need easy distributed key management, modern SSH makes this fairly straightforward with some config values. It supports executing a program to get the SSH key at login time, dynamically. This way you can still maintain local certificates for fallback, and you can plug into anything. For example in the past I wrote a simple golang based app that loaded all of the SSH pubkeys from my organizations github, for users in a specific team.

I would love to ask you lovely HN people, assuming you actually use SSH for work:

- does you organization use ssh certs?

- how big is the org? ("I know most IT", or "it's impossible to know the whole IT"?)

- were you the ones that proposed and implemented that change? :)

SSH certs make so much sense and I know about them for a long time. Yet never implemented that approach - we had at most 2 people that were actually interested. And now for me everything is http API's and oauth, so I don't need it any more. I wonder what are reasons orgs don't use ssh certs by default.

I have never met anyone who used certs with ssh, despite being the obvious choice.

But since apparently ssh is now obsolete (as I was told here a week ago or so) maybe it makes no difference.

It's just an ad for their SSH cert service...

I feel like for SSH certs to expand beyond large companies, there's the need for an open-source service which does the issuing of short-lived certs after a user authenticates. I know smallstep, but their offer feels open-core/freemium.

I was curious if Infisical would eventually turn into Vault (i.e., move beyond pure secret management), and this appears to be the first step in that direction. Granted, the onboarding/usage steps in the article are dramatically simplified compared to Vault.

We used to use a method that was identical to this using Vault. Even wrote our own mini-CLI with a similar usage pattern. However, nowadays, we rely on Tailscale SSH (with a break-glass key) and have never really felt the need for an alternative.

This seems kind of like teleport without the logging and remote infrastructure.