|
|
|
|
|
|
by 4kevinking
2982 days ago
|
|
|
Yes in this case the Krypton SSH key pair is long-lived, but the certificate issued to it by the server would be short-lived. How are users authenticating to this 2FA CA in the first place? Instead of using username/password and 2FA, users could authenticate to the CA using Krypton and then use the issued certificate for short-lived access. If Krypton using a long-lived SSH keypair is a non-starter, automatic key rotation could be added down the line (sort of like being forced to change your password but this would be automated). |
|
|