Zero trust means no implicit trust, including for SSH. CertLocker's just-in-time SSH model issues time-limited credentials scoped to specific targets. Access is verified, logged, and expires automatically.
Zero trust isn't just a marketing term — it's a set of principles: never trust by default, always verify, minimize access scope, and assume breach. Permanent SSH keys violate all of these.
Permanent keys establish trust at creation time and never re-verify. CertLocker requires a fresh token request every session.
Every SSH connection validates the token against CertLocker's API. Revoked? Expired? Connection denied immediately.
Tokens are scoped to specific hosts. A token for prod-db-01 doesn't work on prod-api-02 — ever.
If a token is stolen, it expires. If a laptop is lost, revoke the token instantly. Blast radius is always limited to one session.
CertLocker makes zero trust SSH practical — no complex configuration, no custom SSH daemon, no vendor lock-in.