Post Syndicated from original https://lwn.net/Articles/927251/

Matthew Garrett looks at
the recent disclosure of GitHub’s private host key, how it probably
came about, and what a better approach to key management might look like.

The main problem is that client tooling just doesn’t handle this
well. OpenSSH has no way to do TOFU for CAs, just the keys
themselves. This means there’s no way to do a git clone
ssh://[email protected]/whatever and get a prompt asking you
to trust Github’s CA. Instead, you need to add a @cert-authority
github.com (key) line to your known_hosts file by hand, and since
approximately nobody’s going to do that there’s only marginal
benefit in going to the effort to implement this
infrastructure. The most important thing we can do to improve the
security of the SSH ecosystem is to make it easier to use
certificates, and that means improving the behaviour of the
clients.