PrivateKeyCommand config idea

openssh at openssh at
Sat Mar 9 10:39:47 AEDT 2024


In our infrastructure we're trying to be more diligent about switching to sk keys (and/or certs backed by sk keys.) However, there are some services like Gerrit and Jenkins which are written in java and I guess they will never support sk keys, or at least, it seems like it won't happen any time soon.

For such services, typical practices at the moment include putting passphrases on the keys using OpenSSH's built-in AES128 encryption, and using GnuPG's ssh integration to create gpg-backed keys. These existing solutions cause various inconveniences, like needing to switch to a different terminal to get the passphrase out of Pass, or running into problems when trying to do agent-forwarding with gpg-backed keys on non-Linux OSes. Even on Linux, I think such a workflow can be a bit flaky at times.

I wondered if there would be support for adding a new configuration option called something like PrivateKeyCommand, analogous to existing "*Command" configs like AuthorizedKeysCommand. In practice I imagine it looks like this:

     PrivateKeyCommand pass show ssh/gerrit_ed25519

I suppose another possibility for the name could be IdentityCommand, analogous to IdentityFile.

If you like, and time permitting, I may be interested in trying to implement such a patch -- but before I invest the work, I wondered if there would be support for including it, or would it introduce some sort of issue that I've probably overlooked?



More information about the openssh-unix-dev mailing list