Well, for our setup we use first oidc to authenticate to (hashicorp) vault, this oidc entrypoint is protected by mfa, so the user auths and gets a time limited vault token. We now generate a new priv/pub keypair, then we're using the previous vault token to again authenticate with vault, this time to the ssh-signing endpoint where we upload the pubkey for signing, so we get a (shortlived) certificate back. Now the user can login on the servers using the (generated) privkey/certificate All of the above flow (except the final logging in) is done automatically with our own windows/linux ssh-agent :-) (sorry for the double message Peter) Op do 4 feb. 2021 om 00:01 schreef Peter Moody <mindrot@xxxxxxxx>: > > On Wed, Feb 3, 2021 at 2:55 PM asymptosis <asymptosis@xxxxxxxxxx> wrote: > > > My understanding was the certificate can only be used in conjunction with the user's private key anyway? So I think what you're after already happens automatically. > > I'd guess the certificate is based on a keypair the user doesn't > control, eg. it's created by the CA when the user auths. so the cert > key and the non-cert key are distinct. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
