JP Mens1d ago

OpenSSH 5.4 was released on 2010-03-08, and that is when the project added support for certificate authentication of users and hosts using an OpenSSH certificate format (not X.509)

Why am I telling you this? Because I wanted to find out since when exactly I have been putting off actually experimenting with SSH certificates, and I can now with certainty say that as far as this topic is concerned I've been an idiot over the last 16 years!

Show threadJames O'Gorman1d ago
@jpmens I've been doing this for a while and it's been great https://jamesog.net/2023/03/03/yubikey-as-an-ssh-certificate-authority/
YubiKey as an SSH Certificate Authority

This is a guide to setting up a YubiKey for use as an offline SSH certificate authority. This assumes a brand new YubiKey with no prior configuration on it, to be used solely as a CA. Why? Typically a CA should be on a secured, isolated machine. Using a dedicated YubiKey means you can isolate your CA and keep it in a drawer so that it can’t be accessed. YubiKeys offer protections such as requiring a PIN and/or touching the key for PIV operations.

Show threadJP Mens21h ago

@jamesog very good writeup and thank you.

I see you've added stuff to ensure I had a coffee before starting!

I stumbled over "first" and "second" the as order is swapped. (Just a small nit.)

Show threadJames O'Gorman21h ago
@jpmens Ooh thanks. I’ll check that later. It was stitched together from a lot of different notes and terminal scrollback!
Show threadJP Mens16h ago
@jamesog I know what that's like :-) and I wasn't complaining just pointing out discrepancies I noticed (hoping they actually are such so as not to embarrass myself :-)
Show threadJames O'Gorman
@jpmens I appreciate the feedback :-)
2:57pmIvory for iOS