AuthenticationMethods for ssh certificate

asymptosis asymptosis at
Thu Feb 4 09:55:53 AEDT 2021

>It's actually 2 factors in our setup, the ssh certificate is created
>using MFA (and have a short lifetime), and the pubkey is the users own
>private key.
>This prevents getting into the system if you have control of the MFA
>setup (which is handled by another team) or getting into the system
>without MFA :-)

My understanding was the certificate can only be used in conjunction with the user's private key anyway? So I think what you're after already happens automatically.

Eg I have a user set up like this:

$ ls .ssh
config  id_ed25519  known_hosts

$ cat .ssh/config
Host repos
User git
PasswordAuthentication no
PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at
StrictHostKeyChecking accept-new
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes

When I move the id_ed25519 out of ~/.ssh, I get permission denied:

$ ssh repos
no such identity: <home-directory>/.ssh/id_ed25519: No such file or directory
git at Permission denied (publickey).

More information about the openssh-unix-dev mailing list