>It's actually 2 factors in our setup, the ssh certificate is created
>using MFA (and have a short lifetime), and the pubkey is the users own
>private key.
>
>This prevents getting into the system if you have control of the MFA
>setup (which is handled by another team) or getting into the system
>without MFA :-)
My understanding was the certificate can only be used in conjunction with the
user's private key anyway? So I think what you're after already happens
automatically.
Eg I have a user set up like this:
$ ls .ssh
config id_ed25519 id_ed25519-cert.pub id_ed25519.pub known_hosts
$ cat .ssh/config
Host repos
User git
Hostname 10.0.0.1
PasswordAuthentication no
PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at openssh.com
StrictHostKeyChecking accept-new
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes
When I move the id_ed25519 out of ~/.ssh, I get permission denied:
$ ssh repos
no such identity: <home-directory>/.ssh/id_ed25519: No such file or
directory
git at 10.0.0.1: Permission denied (publickey).