[GH-ISSUE #475] Feature Request: *-sk keys supporting PIV-like policies #121

New issue

Open

opened 2026-05-07 00:19:11 +02:00 by BreizhHardware · 1 comment

BreizhHardware commented 2026-05-07 00:19:11 +02:00

Owner

Copy link

Originally created by @codyro on GitHub (Apr 23, 2024).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/475

Now that The Bastion supports *-sk keys, it would be nice to have PIV-like policies available to limit keys to an account to PIV/SK/FIDO2, grace periods, etc. It could potentially utilize PubkeyAuthOptions in some capacity.

Please close this if it seems like a stinker of an idea :).

Originally created by @codyro on GitHub (Apr 23, 2024). Original GitHub issue: https://github.com/ovh/the-bastion/issues/475 Now that The Bastion supports `*-sk` keys, it would be nice to have PIV-like policies available to limit keys to an account to PIV/SK/FIDO2, grace periods, etc. It could potentially utilize [`PubkeyAuthOptions`](https://man.openbsd.org/sshd_config#PubkeyAuthOptions) in some capacity. Please close this if it seems like a stinker of an idea :).

BreizhHardware added the

feature

label 2026-05-07 00:19:11 +02:00

BreizhHardware commented 2026-05-07 00:19:11 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (May 22, 2024):

Well, that would completely make sense indeed!

Contrary to e.g. "RSA GPG keys used as SSH keys through gpg-agent's ssh-agent compatibility layer", where, on server side, we have no way to differentiate between such a (hardware) key and an RSA key stored in a file, the *-sk series does guarantee that, as PIV does.

I'll check the feasibility, but I like the idea!

<!-- gh-comment-id:2124935281 --> @speed47 commented on GitHub (May 22, 2024): Well, that would completely make sense indeed! Contrary to e.g. "RSA GPG keys used as SSH keys through `gpg-agent`'s `ssh-agent` compatibility layer", where, on server side, we have no way to differentiate between such a (hardware) key and an RSA key stored in a file, the `*-sk` series does guarantee that, as PIV does. I'll check the feasibility, but I like the idea!

BreizhHardware referenced this issue 2026-05-07 00:20:01 +02:00

[PR #121] [MERGED] fix: osh-lingering-sessions-reaper.sh: tocttou on kill #254

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

expifix

groupcreate_fix_uid

fix_group_gid_fast

gh-pages

clush

expiration

jsonvalidator

v3.23.01

v3.23.00

v3.22.00

v3.21.00

v3.20.00

v3.19.01

v3.19.00

v3.18.99-rc1

v3.18.00

v3.17.01

v3.17.00

v3.16.99-rc3

v3.16.99-rc2

v3.16.99-rc1

v3.16.01

v3.16.00

v3.15.00

v3.14.16

v3.14.15

v3.14.00

v3.13.01

v3.13.00

v3.12.00

v3.11.02

v3.11.01

v3.11.00

v3.10.00

v3.09.02

v3.09.00-really

v3.09.00

v3.09.00-rc3

v3.09.00-rc2

v3.09.00-rc1

v3.08.01

v3.08.00

v3.07.00

v3.06.00

v3.05.01

v3.05.00

v3.04.00

v3.03.99-rc2

v3.03.99-rc1

v3.03.01

v3.03.00

v3.02.00

v3.01.99-rc4

v3.01.99-rc3

v3.01.99-rc2

v3.01.99-rc1

v3.01.03

v3.01.02

v3.01.01

v3.01.00

v3.00.02

v3.00.01

v3.00.00

Labels

Clear labels   

answered

  

bug

  

documentation

  

enhancement

  

enhancement

  

feature

  

feature

  

kept-open-for-info

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

answered

bug

documentation

enhancement

enhancement

feature

feature

kept-open-for-info

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/the-bastion#121

No description provided.