From 859deb06640e35e1da441990dc4b0fc9c5b696c0 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 3 Oct 2023 19:32:32 -0500
Subject: [PATCH] sshkeys: Trust certificates issued by the CA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Now that we have an internal SSH certificate authority, instead of
explicitly listing all M×N keys for each user and client machine, we can
list only the CA certificate in the SSH authorized keys file for the
*core* user.  This will allow any user who presents a valid, signed SSH
certificate for the *core* principal to log in.
---
 sshkeys.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sshkeys.yaml b/sshkeys.yaml
index e705dd8..6dbcdec 100644
--- a/sshkeys.yaml
+++ b/sshkeys.yaml
@@ -4,5 +4,4 @@ passwd:
   users:
   - name: core
     ssh_authorized_keys:
-    - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINZCN2cxMDwedJ1Ke23Z3CZRcOYjqW8fFqsooRus7RK0AAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
-    - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAB6xTCSNz+AcQCWcyVKs84tThXN4wpLgCo2Lc48L6EsAAAABHNzaDo= dustin@luma.pyrocufflink.blue
+    - cert-authority ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBImIoTTmhynCVy/vJ/Q2bWydzqVsvwhGvDgBbklw0eDt8UEbbP9HHPhxiMDtiAhbvRTg5BhYVAlR1MgdooT5dwQ=