SSH certificates: the better SSH experience
Inspired by this post by JP Mens. Instead of distributing public keys to every server’s authorized_keys, you can use a Certificate Authority (CA) to sign SSH keys. This eliminates ssh-copy-id, manual authorized_keys edits, and TOFU prompts for new hosts. How it works: Create a CA key pair on a secure machine umask 077; mkdir CA ssh-keygen -t ecdsa -C "My SSH CA" -f CA/ssh-ca Sign user public keys with the CA, specifying allowed principals (login names) ...