speed47
commented
1 month ago Well, that would completely make sense indeed!
Contrary to e.g. "RSA GPG keys used as SSH keys through gpg-agent's ssh-agent compatibility layer", where, on server side, we have no way to differentiate between such a (hardware) key and an RSA key stored in a file, the *-sk series does guarantee that, as PIV does.
I'll check the feasibility, but I like the idea!
Now that The Bastion supports
*-skkeys, it would be nice to have PIV-like policies available to limit keys to an account to PIV/SK/FIDO2, grace periods, etc. It could potentially utilizePubkeyAuthOptionsin some capacity.Please close this if it seems like a stinker of an idea :).