ssh certificates with yubikeys

CA all the things


ssh certificates with yubikeys

CA all the things


Yubikey recently had a 50% off sale, and now I have 4 keys (2 old, 2 new). This comes with the problem that I now need to copy around a lot more keys for every machine I setup.


Solution? SSH Certificates.

generate certificates
  1. Choose a key as your CA, I chose ~/.ssh/ssh/5c, generated by ssh-keygen -t ed25519-sk -f ~/.ssh/ssh/5c -O resident
  2. Sign the public key part of individual keys (5r here) to generate certificates: ssh-keygen -s ~/.ssh/ssh/5c -I 5r_5c ~/.ssh/ssh/
  3. Rename the cert to something clearer: mv
  4. Repeat for each key / CA combo
using the certs

I setup everything in .ssh/config, allowing me to just do ssh lilith

Host lilith
    IdentityFile ~/.ssh/ssh/5r
    CertificateFile ~/.ssh/ssh/

On the remote host, .ssh/authorized_keys will have lines like below, where the key is just the CA's public key (found file).

cert-authority AAAA....=

You can also sign host keys, using -h instead of -I and with HostCertificate /etc/ssh/ in /etc/ssh/sshd_config.

The .ssh/known_hosts format for CAs is the same as authorized_keys, and this reduces the churn and lines in there.

google compute

If you use Google Cloud Compute Engine, you can set SSH public keys in the metadata, and their agent will insert them into authorized_keys for you on demand. Unfortunately, ssh certificates don't work there (invalid format).