Yubikey recently had a 50% off sale, and now I have 4 keys (2 old, 2 new). This comes with the problem that I now need to copy around a lot more keys for every machine I setup.
Solution? SSH Certificates.
~/.ssh/ssh/5c, generated by
ssh-keygen -t ed25519-sk -f ~/.ssh/ssh/5c -O resident
5rhere) to generate certificates:
ssh-keygen -s ~/.ssh/ssh/5c -I 5r_5c ~/.ssh/ssh/5r.pub
mv 5r-cert.pub 5c.pub.5c.cert
I setup everything in
.ssh/config, allowing me to just do
Host lilith Hostname 192.168.100.1 IdentityFile ~/.ssh/ssh/5r CertificateFile ~/.ssh/ssh/5r.pub.5c.cert
On the remote host,
.ssh/authorized_keys will have lines like below,
where the key is just the CA's public key (found in
cert-authority email@example.com AAAA....=
You can also sign host keys, using
-h instead of
.ssh/known_hosts format for CAs is the same as
and this reduces the churn and lines in there.
If you use Google Cloud Compute Engine,
you can set SSH public keys in the metadata,
and their agent will insert them into
authorized_keys for you on demand.
Unfortunately, ssh certificates don't work there (invalid format).