https://jamesog.net/tags/ssh/ Recent content in ssh on james(bl)og Hugo en-gb Sat, 28 Mar 2026 16:00:00 +0000 https://jamesog.net/2023/03/03/setting-up-nixos-to-use-an-ssh-ca/ Fri, 03 Mar 2023 21:00:00 +0000 https://jamesog.net/2023/03/03/setting-up-nixos-to-use-an-ssh-ca/ <p>In my <a href="https://jamesog.net/2023/03/03/yubikey-as-an-ssh-certificate-authority/">previous post</a> I described how to set up an SSH certificate authority using a YubiKey.</p> <p>I&rsquo;ve been experimenting with NixOS again recently — having had several failed attempts before due to the utterly impenetrable documentation — but I&rsquo;m curious enough to spend a bit more effort on it.</p> <p>Even though I&rsquo;m only running it in test VMs right now I still want to get a good feel for running it on a server, so I want to be able to log in using a signed certificate.</p> https://jamesog.net/2023/03/03/yubikey-as-an-ssh-certificate-authority/ Fri, 03 Mar 2023 16:00:00 +0000 https://jamesog.net/2023/03/03/yubikey-as-an-ssh-certificate-authority/ <p>This is a guide to setting up a YubiKey for use as an offline SSH certificate authority.</p> <p>This assumes a brand new YubiKey with no prior configuration on it, to be used solely as a CA.</p> <h2 id="why">Why?</h2> <p>Typically a CA should be on a secured, isolated machine. Using a dedicated YubiKey means you can isolate your CA and keep it in a drawer so that it can&rsquo;t be accessed. YubiKeys offer protections such as requiring a PIN and/or touching the key for <a href="https://developers.yubico.com/PIV/">PIV</a> operations.</p>