I thought of something similar, but the user said "but I want to have
multiple ssh keys because I use different keys on different devices"
:/
Op wo 3 feb. 2021 om 23:59 schreef Peter Moody <mindrot at
hda3.com>:>
> On Wed, Feb 3, 2021 at 2:48 PM Wim S <wimsharing at gmail.com> wrote:
>
> > This prevents getting into the system if you have control of the MFA
> > setup (which is handled by another team) or getting into the system
> > without MFA :-)
>
> heh, seems like you all have trust issues :)
>
> more seriously though, without over-engineering this, you I *think*
> you could do something like
>
> AuthenticationMethods publickey,publickey
> TrustedUserCAKeys /etc/ssh/trusted_user_ca.pub
> AuthorizedKeysFile none
> AuthorizedKeysCommand /pull/a/single/key %h/.ssh/authorized_keys
> AuthorizedKeysCommandUser nobody
>
> and then /pull/a/single/key looks like
>
> #!/bin/bash
> head -1 $1
>
> or you could store the pubkeys somewhere the user can't control, like
> ldap, and use an authorizedkeyscommand to fetch them.
>
> I agree though, if a publickey:certificate option existed, it'd be a
> lot cleaner.