PrivateKeyCommand config idea

Brian Candler b.candler at
Sat Mar 9 20:04:34 AEDT 2024

On 08/03/2024 23:39, openssh at wrote:
> In our infrastructure we're trying to be more diligent about switching
> to sk keys (and/or certs backed by sk keys.) However, there are some
> services like Gerrit and Jenkins which are written in java and I guess
> they will never support sk keys, or at least, it seems like it won't
> happen any time soon.
> For such services, typical practices at the moment include putting
> passphrases on the keys using OpenSSH's built-in AES128 encryption, and
> using GnuPG's ssh integration to create gpg-backed keys.

If you're using physical security keys, then some vendors include the 
ability to store one or two SSH RSA private keys in them as well (e.g. 

If Gerrit and Jenkins accept certs, then another approach would be to 
have an out-of-band certificate issuance process using whatever 
authentication you like. I believe Rory Campbell-Lange's sshagentca 
<> will let you use an sk to prove 
your identity, and then will issue you with a fresh ED25519 signed by 
the CA key (and place it directly in the client's ssh agent)

Similarly, you can use Hashicorp's Vault to issue certificates (if you 
can stomach the new BSL license) using a range of different 
authentication mechanisms, although sk isn't one of them. I wrote 
<> to insert a new key 
& cert into the local ssh agent.

More information about the openssh-unix-dev mailing list