jjmcdn

Copied from www.lorier.net/docs/sshfp, all credit there.

SSH Fingerprint in DNS

If you have DNSSEC setup (and are validating using it!) you might consider using SSHFP to avoid the "The authenticity of host 'blah blah blah' can't be established." This is an alternative solution to signing the SSH host public key with a certificate.

Personally, I'd recommend the ssh ca approach as being more sensible, and foolproof, but there are situations where it's not appropriate.

sudo ssh-keygen -r $(hostname) >>/etc/bind/db.$(hostname --domain)

jjmcdn

copied from http://www.lorier.net/docs/tpm, all credit there:

Using a TPM

A TPM is designed to hold private keys and do operations on them. This means that you can avoid the private key ever being unencrypted in memory on your machine which makes stealing the private key, even with access to the machine hopefully impossible. Hopefully, even with physical access to the machine the worst the attacker can do is destroy the key material, unless they go to rather extreme lengths.

The downside of this is that it's complicated (hence the long list of things to do below), and the TPM is also quite slow. NOTES

Before we begin:

jjmcdn

copied from http://www.lorier.net/docs/ssh-ca - all credit there.

Using a CA with SSH

Using a CA with ssh means you can sign a key for a user, and everywhere that the user trusts the CA you can login, without having to copy your SSH key everywhere again. This allows for things like fast rollover of keys (eg: daily), or trusting the fingerprint of a machine that you're logging into, which can be very useful when you're managing large numbers of machines, or machines that get new host keys (eg by reinstalling) regularly.

You'll probably want at least openssh 5.6, although some of the functionality is available in 5.3. Creating the CA key

ssh-keygen -f /etc/ssh/ca