Re: PrivateKeyCommand config idea

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 08/03/2024 23:39, openssh@xxxxxxxx wrote:
In our infrastructure we're trying to be more diligent about switching
to sk keys (and/or certs backed by sk keys.) However, there are some
services like Gerrit and Jenkins which are written in java and I guess
they will never support sk keys, or at least, it seems like it won't
happen any time soon.

For such services, typical practices at the moment include putting
passphrases on the keys using OpenSSH's built-in AES128 encryption, and
using GnuPG's ssh integration to create gpg-backed keys.

If you're using physical security keys, then some vendors include the ability to store one or two SSH RSA private keys in them as well (e.g. Yubikey).

If Gerrit and Jenkins accept certs, then another approach would be to have an out-of-band certificate issuance process using whatever authentication you like. I believe Rory Campbell-Lange's sshagentca <https://github.com/rorycl/sshagentca> will let you use an sk to prove your identity, and then will issue you with a fresh ED25519 signed by the CA key (and place it directly in the client's ssh agent)

Similarly, you can use Hashicorp's Vault to issue certificates (if you can stomach the new BSL license) using a range of different authentication mechanisms, although sk isn't one of them. I wrote vault-ssh-agent-login <https://github.com/candlerb/vault-ssh-agent-login> to insert a new key & cert into the local ssh agent.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux