April 3, 2026

Certs vs. YOLO logins

Article URL →HN comments →

SSH certificates: the better SSH experience

DevOps swear by them, skeptics shrug, and GitHub ghosted the party

TLDR: An expert pushes SSH certificates to stop the risky “just hit yes” habit. Commenters split: ops teams cheer certs and daily rebuild sanity, skeptics say Trust On First Use works fine and GitHub doesn’t support certs, with a DNSSEC cameo that’s still “in theory” for many.

The internet’s favorite security debate just popped again: should you stop typing “yes” when your computer asks if it trusts a server? In SSH certificates: the better SSH experience, the author says certificates—think VIP passes signed by a company “boss” (a Certificate Authority)—beat the risky habit known as TOFU, or Trust On First Use. But the comments turned it into a circus, and we’re here for the drama.

Veteran thomashabets2 rolled their eyes with a meme-worthy sigh: this topic gets “rediscovered every few months,” dropping a throwback 2011 blog. Ops folks like linsomniac brought receipts: in environments where machines are rebuilt daily, host certs are a lifesaver, no more babysitting keys. Then came the cold splash—Thom2000 says GitHub still doesn’t support SSH certificates, so the cool kids can’t use them for public dev workflows. Cue the split: pro-certs shout “professionalize your logins,” while TOFU defenders like Tepix say, “I’ve never had a problem—have you?” Meanwhile, jcalvinowens teased a nerdy subplot: put server fingerprints in DNS and seal them with DNSSEC (secure DNS)… if your distro even turns it on. The jokes? “Press Y to pray,” “CA = hall monitor,” and “GitHub ghosting the cert party” had everyone cackling.

Key Points

  • SSH’s TOFU model prompts users to verify a server’s host key on first connection and should not be accepted blindly.
  • Administrators can display the server’s host key fingerprint with ssh-keygen and compare it to the client’s prompt for verification.
  • Utilities like ssh-keyscan can collect remote host keys, but out-of-band verification remains necessary to ensure authenticity.
  • SSH fingerprints can be published as SSHFP records in DNS, offering another method to verify host keys (details deferred).
  • Using SSH key pairs avoids password entry; keys should have strong passphrases, be installed via ssh-copy-id, and can be cached with an SSH agent.

Hottest takes

"Every couple of months someone re-discovers SSH certificates" — thomashabets2
"Sadly services such as Github don't support these" — Thom2000
"I've never had a security issue due to TOFU, have you?" — Tepix

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.