PrivateKeyCommand config idea

Bernd Eckenfels ecki at
Sat Mar 9 19:26:14 AEDT 2024


openssh at wrote on 9. Mar 2024 00:39 (GMT +01:00):

> In our infrastructure we're trying to be more diligent about switching to
> sk keys (and/or certs backed by sk keys.) However, there are some services
> like Gerrit and Jenkins which are written in java and I guess they will
> never support sk keys, or at least, it seems like it won't happen any time
> soon.
> For such services, typical practices at the moment include putting
> passphrases on the keys using OpenSSH's built-in AES128 encryption, and
> using GnuPG's ssh integration to create gpg-backed keys.

I would use a password manager with ssh-agent integration like KeePass, instead.
But if you want to have the same level of protection (not exportable keys) you would
need to store the key on the token with smartcard interface.

But having a command to provide the key is a good idea. There are so many
Solutions for using short lived certificates or one time keys for SSO, Bastions,
Cloud IaM and automatically,provisioned,identities, they would be able
To avoid wrappers when they have such an option.

(For your usecase in particular I would not use it).


More information about the openssh-unix-dev mailing list