It's actually 2 factors in our setup, the ssh certificate is created using MFA (and have a short lifetime), and the pubkey is the users own private key. This prevents getting into the system if you have control of the MFA setup (which is handled by another team) or getting into the system without MFA :-)
My understanding was the certificate can only be used in conjunction with the user's private key anyway? So I think what you're after already happens automatically. Eg I have a user set up like this: $ ls .ssh config id_ed25519 id_ed25519-cert.pub id_ed25519.pub known_hosts $ cat .ssh/config Host repos User git Hostname 10.0.0.1 PasswordAuthentication no PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@xxxxxxxxxxx StrictHostKeyChecking accept-new IdentityFile ~/.ssh/id_ed25519 IdentitiesOnly yes When I move the id_ed25519 out of ~/.ssh, I get permission denied: $ ssh repos no such identity: <home-directory>/.ssh/id_ed25519: No such file or directory git@10.0.0.1: Permission denied (publickey). _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
