Yubikey recently had a 50% off sale, and now I have 4 keys (2 old, 2 new). This comes with the problem that I now need to copy around a lot more keys for every machine I setup.
Solution? SSH Certificates.
~/.ssh/ssh/5c,
generated by ssh-keygen -t ed25519-sk -f ~/.ssh/ssh/5c -O resident5r here) to generate certificates:
ssh-keygen -s ~/.ssh/ssh/5c -I 5r_5c ~/.ssh/ssh/5r.pubmv 5r-cert.pub 5c.pub.5c.certI setup everything in .ssh/config, allowing me to just do ssh lilith
Host lilith
Hostname 192.168.100.1
IdentityFile ~/.ssh/ssh/5r
CertificateFile ~/.ssh/ssh/5r.pub.5c.cert
On the remote host, .ssh/authorized_keys will have lines like below,
where the key is just the CA's public key (found in.pub file).
1cert-authority sk-ssh-ed25519@openssh.com AAAA....=
You can also sign host keys, using -h instead of -I
and with HostCertificate /etc/ssh/ssh_host_ed25519_key.pub.5c.cert
in /etc/ssh/sshd_config.
The .ssh/known_hosts format for CAs is the same as authorized_keys,
and this reduces the churn and lines in there.
If you use Google Cloud Compute Engine,
you can set SSH public keys in the metadata,
and their agent will insert them into authorized_keys for you on demand.
Unfortunately, ssh certificates don't work there (invalid format).