cmc

### I use HSM backed SSH certs and so can you. [why?: keys can be stolen, certs expire!]
 
1. Get a YubiHSM2 @ https://www.yubico.com/products/hardware-security-module/
2. Follow this: https://github.com/YubicoLabs/yubihsm-ssh-tool [ Yes, you're going to have to install all the other yubico stuff too, yubico-connector, etc, ..] on your issuing machine, or airgapped machine.
3. Be content that you can now sign certificates with the HSM on the issuer/airgapped machine.
3. Update /etc/ssh/sshd_config on remote server to add:
    TrustedUserCAKeys /etc/ssh/ca.pub
    AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
4. Add principals here:
    ex:

cmc

import logging
import os
import requests
import sys
import time

ROOT = logging.getLogger()
ROOT.setLevel(logging.DEBUG)
HANDLER = logging.StreamHandler(sys.stdout)
HANDLER.setLevel(logging.DEBUG)

cmc

Keybase proof

I hereby claim:

• I am cmc on github.
• I am cmccsec (https://keybase.io/cmccsec) on keybase.
• I have a public key whose fingerprint is 9CC9 F1A8 39AD FA13 CC44 927D 972D 9418 25A3 8832

To claim this, I am signing this object:

cmc

Keybase proof

I hereby claim:

• I am cmccsec on github.
• I am cmccsec (https://keybase.io/cmccsec) on keybase.
• I have a public key whose fingerprint is DDDF 2043 76B1 2992 CF53 FE08 6CA2 02FD 2703 7BAF

To claim this, I am signing this object:

cmc

Keybase proof

I hereby claim:

• I am cmc87 on github.
• I am cmccsec (https://keybase.io/cmccsec) on keybase.
• I have a public key whose fingerprint is DDDF 2043 76B1 2992 CF53 FE08 6CA2 02FD 2703 7BAF

To claim this, I am signing this object: