Open codyro opened 2 months ago
Well, that would completely make sense indeed!
Contrary to e.g. "RSA GPG keys used as SSH keys through gpg-agent
's ssh-agent
compatibility layer", where, on server side, we have no way to differentiate between such a (hardware) key and an RSA key stored in a file, the *-sk
series does guarantee that, as PIV does.
I'll check the feasibility, but I like the idea!
Now that The Bastion supports
*-sk
keys, it would be nice to have PIV-like policies available to limit keys to an account to PIV/SK/FIDO2, grace periods, etc. It could potentially utilizePubkeyAuthOptions
in some capacity.Please close this if it seems like a stinker of an idea :).