PrivateKeyCommand config idea
Brian Candler
b.candler at pobox.com
Sat Mar 9 20:04:34 AEDT 2024
On 08/03/2024 23:39, openssh at tr.id.au wrote:
> In our infrastructure we're trying to be more diligent about switching
> to sk keys (and/or certs backed by sk keys.) However, there are some
> services like Gerrit and Jenkins which are written in java and I guess
> they will never support sk keys, or at least, it seems like it won't
> happen any time soon.
>
> For such services, typical practices at the moment include putting
> passphrases on the keys using OpenSSH's built-in AES128 encryption, and
> using GnuPG's ssh integration to create gpg-backed keys.
If you're using physical security keys, then some vendors include the
ability to store one or two SSH RSA private keys in them as well (e.g.
Yubikey).
If Gerrit and Jenkins accept certs, then another approach would be to
have an out-of-band certificate issuance process using whatever
authentication you like. I believe Rory Campbell-Lange's sshagentca
<https://github.com/rorycl/sshagentca> will let you use an sk to prove
your identity, and then will issue you with a fresh ED25519 signed by
the CA key (and place it directly in the client's ssh agent)
Similarly, you can use Hashicorp's Vault to issue certificates (if you
can stomach the new BSL license) using a range of different
authentication mechanisms, although sk isn't one of them. I wrote
vault-ssh-agent-login
<https://github.com/candlerb/vault-ssh-agent-login> to insert a new key
& cert into the local ssh agent.
More information about the openssh-unix-dev
mailing list