Authentication using federated identity

Brian Candler b.candler at
Tue Feb 13 21:13:39 AEDT 2024

On 13/02/2024 09:35, Gilbert Netzer wrote:
> we have not yet
> found a good way to for example get a token, e.g. a SSH key or certificate,
> in or out of the web-browser into the non-web part, for instance a SSH agent

Here's something I knocked together for my own use:

You run this from the command line, and it talks to your local 
ssh-agent. If you don't have a suitable certificate already then it 
generates a new key pair, gets Vault to sign it, and then inserts the 
new key and cert into ssh-agent (set to expire when the cert expires).

If you're using Vault with OIDC auth then it opens a browser window for 
that part, similar to how kubelogin works.

More information about the openssh-unix-dev mailing list