Hey HN! Infisical SSH, an extension of the open source Infisical platform [1], gives you a solution to centralize SSH access for your team and infrastructure.

Infisical SSH eliminates the need for you to manage SSH keys in favor of short-lived SSH certificates issued on demand. From one dashboard, you can define which users should have access to which machines and let Infisical facilitate connections using SSH certificate-based authentication under the hood.

With just a few clicks, you can bootstrap the same secure, scalable SSH certificate-based authentication scheme that companies like Meta, Uber, and Google use to scale SSH access across their infrastructure.

[1] Infisical - https://github.com/Infisical/infisical

Great pros and cons analysis honestly; I would say though that this is isn't buying into the model of Infisical SSH specifically as much as it is just changing the overall approach from SSH public key authentication to SSH certificate-based authentication which has been available for years; Infisical SSH is more-so there to provide the tooling to more easily implement this approach.

Regarding the point on users generating their own keys, I'd say this would still be possible — You can have an SSH CA sign/issue a certificate for an existing key pair.

Definitely some overlap there for sure but with different architecture — this is also an extension of the broader Infisical platform that a lot of companies use for secrets management.

That's correct — The user obtains a short-lived SSH certificate (signed/issued by a CA).

Co-founder of Infisical here!

You're right in noticing that we're moving beyond secrets management into adjacent related verticals as well, specifically branching out more into the larger identity and access management space; secrets management continues to be the bread and butter of Infisical but the way we see it, it would be super nice in the long run to have one unified control plane over all related aspects spanning secrets management to certificate management, SSH access, and more.

One of the core product philosophies of Infisical has always been to abstract away complexity as much as possible while still giving users the ability to customize the tool.

Whereas Vault might, for example, have you explicitly create SSH certificate authorities and require 12+ steps to configure a working SSH certificate-based authentication model, Infisical SSH makes it so you only have to care about users and hosts that is who has access to what with something like 4 steps and if you want more power out of Infisical then that is always possible to build atop.

Good to know regarding Tailscale SSH!

Hey! Co-founder of Infisical here.

I'd say SSH certificate-based authentication is implemented widely at big tech and larger enterprises (tons of sources on it) but hasn't received the same mainstream adoption as SSH public key authentication because the administrative experience to set it up can be quite cumbersome despite how much benefit it provides. Put differently, there's always been a tradeoff in terms of configuration effort and benefits reaped.

With Infisical SSH, we've tried to abstract away as much complexity as possible and give folks the ability to implement a SSH certificate-based access scheme across infrastructure with minimal administrative overhead.

Hey totally agree with the open source aspect here in order for SSH certificates to reach broader adoption (coupled with seamless admin and user experience).

Infisical SSH is actually an extension of the Infisical platform which is open source and used by a ton of companies for secrets management.

It’s a valid question though; I’m also curious what the motivation was here given Cal.com is also open source hmmm

It's a perfectly valid question if one does the minimum to engage with the thing being showhn otherwise it's a reflexive and, as you can see in the several near-identical comments, repetitive trope.

Why this over something like Faker?

Thanks for the question! Faker is useful but doesn't have a lot of features. For example, referential integrity, data orchestration or the ability to read/write to a db. So faker can work for simple API schemas but if you need something more robust for an entire database, then that's where we can help.

Not yet but we definitely have ideas for this coming up next on the roadmap.

The basic idea would be to allow you to create CAs with external/imported CA options which would assist with a migration.

For example, you would be able to "import" in a signed certificate (+chain) from an external parent CA when installing an intermediate CA in Infisical — As you'd expect, Infisical would generate a CSR for the CA to be signed by the parent CA externally.