How do you "untrust" a single person's key under this scheme? You would have to visit all of the machines and remove them from the authorized keys file.
Not really, with an SSH CA you’re trusting the CA and not installing individual keys into authorized_keys files.
Anything signed by the SSH CA will work for logins.
To deal with the “untrust” issue it’s normal for operations with an SSH CA to rely on (very) short-lived certificates, meaning often issued and valid for < 24 hours (it’s configurable, I’ve seen this be as short as 30 minutes).
Smallstep wrote a summary here which is pretty good —
zaphar|1 year ago
nixgeek|1 year ago
Anything signed by the SSH CA will work for logins.
To deal with the “untrust” issue it’s normal for operations with an SSH CA to rely on (very) short-lived certificates, meaning often issued and valid for < 24 hours (it’s configurable, I’ve seen this be as short as 30 minutes).
Smallstep wrote a summary here which is pretty good —
https://smallstep.com/blog/use-ssh-certificates/