Re: PrivateKeyCommand config idea

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello,

openssh@xxxxxxxx wrote on 9. Mar 2024 00:39 (GMT +01:00):

> In our infrastructure we're trying to be more diligent about switching to
> sk keys (and/or certs backed by sk keys.) However, there are some services
> like Gerrit and Jenkins which are written in java and I guess they will
> never support sk keys, or at least, it seems like it won't happen any time
> soon.
> 
> For such services, typical practices at the moment include putting
> passphrases on the keys using OpenSSH's built-in AES128 encryption, and
> using GnuPG's ssh integration to create gpg-backed keys.

I would use a password manager with ssh-agent integration like KeePass, instead.
But if you want to have the same level of protection (not exportable keys) you would
need to store the key on the token with smartcard interface.

But having a command to provide the key is a good idea. There are so many
Solutions for using short lived certificates or one time keys for SSO, Bastions,
Cloud IaM and automatically,provisioned,identities, they would be able
To avoid wrappers when they have such an option.

(For your usecase in particular I would not use it).

Gruß
Bernd
— 
https://bernd.eckenfels.net
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux