On 4/27/22 21:30, Wietse Venema wrote:
Michael Stroeder:
So even if you cannot afford a HSM you can e.g. use ssh-agent via Unix
domain socket for your SSH-CA to avoid having to grant direct read
access to the SSH-CA's private key to your SSH-CA service. Simple
solutions, which you can isolate a bit more with stuff already available
on many Linux systems (AppArmor or SELinux, systemd sand-boxing, etc.).
You give client-side examples;
No, not only client-side.
An SSH-CA server using ssh-keygen for cert signing can use ssh-agent
too, either for signing directly with a local key file or by using a
PKCS#11 module.
Ciao, Michael.
