On 08/03/2024 23:39, openssh@xxxxxxxx wrote:
In our infrastructure we're trying to be more diligent about switching to sk keys (and/or certs backed by sk keys.) However, there are some services like Gerrit and Jenkins which are written in java and I guess they will never support sk keys, or at least, it seems like it won't happen any time soon. For such services, typical practices at the moment include putting passphrases on the keys using OpenSSH's built-in AES128 encryption, and using GnuPG's ssh integration to create gpg-backed keys.
If you're using physical security keys, then some vendors include the ability to store one or two SSH RSA private keys in them as well (e.g. Yubikey).
If Gerrit and Jenkins accept certs, then another approach would be to have an out-of-band certificate issuance process using whatever authentication you like. I believe Rory Campbell-Lange's sshagentca <https://github.com/rorycl/sshagentca> will let you use an sk to prove your identity, and then will issue you with a fresh ED25519 signed by the CA key (and place it directly in the client's ssh agent)
Similarly, you can use Hashicorp's Vault to issue certificates (if you can stomach the new BSL license) using a range of different authentication mechanisms, although sk isn't one of them. I wrote vault-ssh-agent-login <https://github.com/candlerb/vault-ssh-agent-login> to insert a new key & cert into the local ssh agent.
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
