AuthenticationMethods for ssh certificate

Wim S wimsharing at
Thu Feb 4 10:12:16 AEDT 2021

Well, for our setup we use first oidc to authenticate to (hashicorp)
vault, this oidc entrypoint is protected by mfa, so the user auths and
gets a time limited vault token.
We now generate a new priv/pub keypair, then we're using the previous
vault token to again authenticate with vault, this time to the
ssh-signing endpoint where we upload the pubkey for signing, so we get
a (shortlived) certificate back.
Now the user can login on the servers using the (generated) privkey/certificate

All of the above flow (except the final logging in) is done
automatically with our own windows/linux ssh-agent :-)

(sorry for the double message Peter)

Op do 4 feb. 2021 om 00:01 schreef Peter Moody <mindrot at>:
> On Wed, Feb 3, 2021 at 2:55 PM asymptosis <asymptosis at> wrote:
> > My understanding was the certificate can only be used in conjunction with the user's private key anyway? So I think what you're after already happens automatically.
> I'd guess the certificate is based on a keypair the user doesn't
> control, eg. it's created by the CA when the user auths. so the cert
> key and the non-cert key are distinct.

More information about the openssh-unix-dev mailing list