Secure Storage for TSH obtained credentials?

[programmerq]

Currently, tsh writes x509 and openssh certificates and keys out to disk in the user's ~/.tsh directory.

Would it be feasible for TSH to optionally use a hardware storage mechanism to accomplish this?

A yubikey can store both x509 and openssh user certificates. This would help mitigate against an attacker trying to copy the private key credentials to another system altogether. Combined with utilizing a yubikey slot that requires touch, this can help reduce the attack surface for a given user's credentials. Combined with a short TTL, this could potentially greatly improve the security posture of a user who opts into this session.

Some ideas around how that might need to work:

• All the tsh subcommands would need to be able to utilize the hardware storage.
• kubernetes does not appear to support pkcs11 certificate storage, so kubectl and other commands would not work without additional work
• database access may also have similar pkcs11 limitations