Comment by yjftsjthsd-h
5 months ago
There is an easier way: Create a SSH CA, add that to your authorized_keys everywhere, use it to sign the individual public keys.
5 months ago
There is an easier way: Create a SSH CA, add that to your authorized_keys everywhere, use it to sign the individual public keys.
Yep that's what I do! I have two ssh-ca's stored on two Yubikeys. And both are trusted by my servers.
If I lose one I can still sign new certs with the other.
https://github.com/arianvp/nixos-stuff/blob/master/modules/s...
That's good but more complicated, and not everything supports it. Like on GitHub, SSH CA requires subscribing to their enterprise service.
Also idk if you can store the root or the resulting signed key in the enclave the way this article says.
But now you need to worry about revocation or at least key lifetimes.
I would argue that doing both of those is still less work than maintaining authorized_keys in many places.
Yes, also idk if the other way works with Secure Enclave
1 reply →