I think what i'd really want in ssh auth would be a short-lived certificate based workflow that works like this: you run a program to auth via any of many different available methods to an identity provider that issues an ssh cert to me and it gets put into my ssh-agent. then the remote host sshd is configured to trust identity certs from that provider's CA cert and since i'm operating in a cloud environment where i may not want local accounts to be autogenerated, i'd optionally like that when the sshd authenticates me by that cert, it logs my identity as provided in the short-lived identity cert but logs me in as the uid 1000 account so no local accounts have to be created on the system.
smallstep ca seems to do all of this except the part about not creating accounts and just logging in as the uid 1000 account.
a major advantage of this model is that you don't need to manage authorized_keys or local users any more and you only need to make changes to the identity system's authentication model when new options come about. what do you think?
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
certificate model might still be better
Date: 2022-09-22 10:38 pm (UTC)smallstep ca seems to do all of this except the part about not creating accounts and just logging in as the uid 1000 account.
a major advantage of this model is that you don't need to manage authorized_keys or local users any more and you only need to make changes to the identity system's authentication model when new options come about. what do you think?