add keys and certificate to forwarded agent on remote host

Tim Jones b631093f-779b-4d67-9ffe-5f6d5b1d3f8a at protonmail.ch
Tue Sep 18 17:45:24 AEST 2018


Why not just use Yubikeys ?  SSH keys (at least the RSA type, the SSH's developers failure to adopt other supported key types after many years is something of an un-necessary frustration to the greater SSH community).

So issue your users with Yubikeys.  You can enforce the Yubikey so it requires the user to enter a PIN *and* touch the Yubikey.  This means there's an incredibly high degree of confidence that it was the user who performed the actiion (i.e. two-factor authentication of physical Yubikey and PIN, plus anti-keylogger because of the mandatory touching of the Yubikey).

You can use Yubikeys with ssh-add too, if you want.  Or you can just use it for ad-hoc individual logins.


More information about the openssh-unix-dev mailing list