Registered 2017-10-11 by Pino de Candia

Named in honor of Tatu Ylönen, the inventor of SSH, Tatu is an OpenStack service that manages user and host certificates. Tatu can also start and manage bastion servers so that you don't have to (and you don't have to give every SSH server a public IP address).

Tatu provides APIs that allows:
- OpenStack users to obtain a user SSH certificate (per project) for their public key, with permissions corresponding to their roles in the project)
- OpenStack VM (or bare metal) instances to obtain a host SSH certificate for their public key.

During negotiation of the SSH connection:
- The server presents its host certificate.
- The client checks the validity of the host certificate using a Host CA public key configured in its known_hosts file (config line starts with @cert-authority).
- The client presents its client certificate.
- The server checks the validity of the client certifiate using a User CA public key configured in sshd_config (TrustedUserCAKeys). -
- The server also checks that the certificate has not been revoked (RevokedKeys in sshd_config).
- The client certificate also contains a list of SSH principals, some of which the sshd_config may recognize as mapped to specific Linux accounts on the server (AuthorizedPrincipalsFile in sshd_config). The client is only allowed to login to those Linux accounts.

Use of host certificates prevents MITM (man in the middle) attacks. Without host certificates, users of SSH client software are presented with a message like this when they first connect to an SSH server: "The authenticity of host... can't be established. ECDSA key fingerprint is... Are you sure you want to continue connecting (yes/no)?" Users often don't bother checking the fingerprint out-of-band.

SSH servers only need to store the User CA public key (and revoked client certificates), not every client certificate. This is simpler, more secure and more manageable than today's common practice: putting the client public key in the SSH server's authorized_keys file.

Project information

Part of:
Tatu Drivers
Pino de Candia
Apache Licence

RDF metadata

View full history Series and milestones

trunk series is the current focus of development.

All bugs Latest bugs reported

All blueprints Latest blueprints

Get Involved


Tatu does not have any download files registered with Launchpad.