Notifications
Clear all
Topic starter
08/06/2026 4:58 pm
TL;DR: SSH certificate-based authentication replaces password-based SSH access with cryptographic key pairs and certificates, reducing brute-force exposure while enabling tighter user management, revocation, and logging, according to StrongDM. For IAM teams, the real value is not the certificate itself but the governance model around issuance, permissions, rotation, and auditability.
NHIMG editorial — based on content published by StrongDM: How to Configure SSH Certificate-Based Authentication (Tutorial)
Questions worth separating out
Q: How should teams govern SSH certificate-based access for privileged users?
A: Treat SSH certificates as privileged credentials with owners, expiry, and revocation rules.
Q: Why do SSH certificates reduce risk compared with passwords?
A: SSH certificates reduce risk because they remove reusable passwords, narrow access to specific identities, and support time-bound trust.
Q: What breaks when SSH keys and certificates are not rotated or revoked?
A: When SSH credentials are not rotated or revoked, access can outlive the job, the vendor relationship, or the incident that should have ended it.
Practitioner guidance
- Replace password SSH with certificate-backed access Disable password authentication on privileged systems and require certificate-based login for interactive administrative access.
- Define certificate lifetimes and revocation triggers Set short validity periods for SSH certificates and document the exact events that force immediate revocation, including role changes, suspected compromise, and contractor offboarding.
- Centralise SSH audit logging Capture certificate issuance, successful logins, and denied attempts in a single reviewable log stream so incident response can reconstruct who accessed which host and when.
What's in the full article
StrongDM's full tutorial covers the operational detail this post intentionally leaves for the source:
- Step-by-step SSH client and server configuration examples for certificate-based login.
- Specific command examples for key generation, copying keys, and verifying certificate authentication.
- Troubleshooting guidance for permissions, logs, and connectivity issues during rollout.
- Operational notes on how the platform centralises certificate management and auditing.
👉 Read StrongDM's tutorial on SSH certificate-based authentication →
SSH certificate-based authentication: what it changes for access control?
Explore further
08/06/2026 6:53 pm
SSH certificate-based authentication is only as strong as the lifecycle behind it. Password removal does not solve access governance if keys, certificates, and principals are left to drift. The control question is whether the organisation can revoke access as quickly as it grants it and prove that the active trust set is current. Practitioners should treat certificate authentication as a lifecycle discipline, not a point solution.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: How can security teams know whether SSH certificate controls are working?
A: Look for short certificate lifetimes, documented revocation events, and complete logs showing who accessed which system and when. If certificates persist far beyond their intended use or revocation is manual and slow, the control is not governing access, only authenticating it.
👉 Read our full editorial: SSH certificate-based authentication and access control for DevOps
