SSH is the default access method for Linux servers, typically configured with passwords or public/private key authentication. However, in large multi-user deployments, these methods have significant drawbacks: security of private keys on unmanaged clients, key management on the server side, and the difficulty of integrating multi-factor authentication.

Alternative methods exist but are not always easy to implement. In this talk, I compare two of the most promising approaches—OpenSSH certificates and OpenPubKey (OPKSSH)—based on a recent evaluation for a multi-user compute cluster with dozens of machines and hundreds of unmanaged clients. I discuss the advantages and limitations of each approach, including client configuration, required additional software, and operational complexity.

The presentation includes live demos illustrating how each method works from both the client and server perspective, and a closer look at the inner workings of SSH certificates and OPKSSH.

Links: https://www.openssh.org https://github.com/openpubkey/openpubkey https://github.com/openpubkey/opkssh