We trust SSH keys with access to our most critical infrastructure. We store them on disk, we backup them to the cloud, and we tell ourselves they’re “secure enough.” But what if everything we thought we knew about SSH access was fundamentally broken?
The Sentinel-SSH project reveals a radically different approach to infrastructure access—one that eliminates private keys from disk entirely, requires physical presence for every connection, and renders stolen credentials completely useless. Here are the five most surprising insights that challenge everything conventional wisdom tells us about SSH security.
1. Your Private Keys Don’t Need to Exist (And Probably Shouldn’t)
The most counter-intuitive revelation: you can SSH into servers without ever storing a private key on your computer.
Traditional SSH depends on ~/.ssh/id_rsa files sitting on your disk. If your laptop is compromised, those keys are compromised. If you lose your device, you scramble to revoke access. The entire model assumes that keeping secrets on disk is an acceptable risk.
Sentinel-SSH flips this assumption on its head. By using YubiKey’s PIV (Personal Identity Verification) smart card mode, the private key lives exclusively on the hardware token. It’s generated there, it stays there, and it cannot be extracted—even by the owner.
“The private key never leaves the hardware token.”
This isn’t just incrementally better—it’s a fundamental shift in the threat model. Malware that steals ~/.ssh directories becomes powerless. Phishing attacks that exfiltrate credentials hit a brick wall. The attack surface shrinks from “compromise the system” to “physically steal the hardware and break the PIN.”
Why this matters: In a world of sophisticated supply chain attacks and zero-day vulnerabilities, betting your infrastructure security on the integrity of endpoint devices is a losing game. Hardware-bound keys shift the battlefield entirely.
2. Authentication Needs a Body (And That’s Actually a Good Thing)
Here’s the uncomfortable truth: most “multi-factor authentication” is theater. SMS codes can be intercepted. TOTP apps can be cloned. Password managers can be compromised.
Sentinel-SSH uses YubiKey OTP (One-Time Password) as the first authentication factor to Vault. This means you must physically touch the hardware key to generate a valid token. No touch, no access. Period.
The implementation combines this with short-lived SSH certificates (30-minute TTL) that expire automatically. You authenticate once with physical presence, get ephemeral credentials, and when those expire, you touch the key again.
This creates a beautiful constraint: remote attackers cannot maintain persistent access even if they compromise your Vault token, because they can’t generate new OTPs without the physical device.
Why this matters: We’ve normalized the idea that security is about “knowing” secrets. But in an era of credential stuffing, database breaches, and keyloggers, knowledge-based authentication is fragile. Requiring physical presence creates an air gap that remote attackers simply cannot cross.
3. Certificates Beat Keys (And It’s Not Even Close)
The SSH key model has a dirty secret: revocation doesn’t really work.
When you issue long-lived SSH keys (which is most keys), you face an impossible choice. Either you distribute them widely for convenience—creating sprawl and lost tracking—or you centralize them tightly, creating operational bottlenecks.
And when someone leaves the company or a key is suspected of being compromised? You’re supposed to remove it from every authorized_keys file across hundreds or thousands of servers. In practice, this almost never happens completely.
SSH certificates solve this elegantly. Sentinel-SSH uses HashiCorp Vault as an SSH Certificate Authority. Instead of distributing public keys to every server, you configure servers to trust Vault’s CA public key once. From that moment forward, Vault can issue short-lived signed certificates that servers automatically accept.
The beauty: when certificates expire (default: 30 minutes), access automatically terminates. No revocation lists. No cleanup scripts. No orphaned access.
“Certificates expire in 30 minutes. No need to manage or revoke long-lived static keys.”
Why this matters: Security debt compounds over time. Every long-lived credential is a forgotten backdoor waiting to be exploited. Ephemeral certificates eliminate this debt entirely, creating a security model that degrades safely by default.
4. Infrastructure as Code Isn’t Just About Provisioning—It’s About Access
Most teams use Terraform to provision EC2 instances, VPCs, and load balancers. But Sentinel-SSH does something radical: it uses Terraform to provision access itself.
The Terraform code doesn’t just spin up an EC2 instance—it:
- Configures the instance to trust Vault’s SSH CA public key
- Requests a signed SSH certificate from Vault for the current user
- Outputs the connection command with the ephemeral certificate
This means access policies live in version control. You can code-review who can SSH where. You can see in Git history when access patterns changed. You can apply the same CI/CD rigor to access control that you apply to infrastructure.
Look at this Terraform snippet from the project:
data "vault_generic_endpoint" "ssh_cert" {
path = "ssh/sign/terraform-ssh"
data_json = jsonencode({
public_key = file("~/.ssh/id_rsa.pub")
ttl = "15m"
})
}
Access is no longer a side-effect of infrastructure—it’s an explicit, auditable part of the infrastructure definition.
Why this matters: Shadow IT and undocumented access are the silent killers of enterprise security. When access is code, it becomes visible, reviewable, and enforceable. This is the zero-trust model actually implemented.
5. The Real Security Win Is What Doesn’t Happen
Perhaps the most profound insight isn’t about what this architecture enables—it’s about what it prevents from ever happening.
With Sentinel-SSH:
- You cannot accidentally commit a private key to GitHub (it’s on hardware)
- You cannot forget to rotate credentials (they expire automatically)
- You cannot lose track of who has access (it’s in Terraform state)
- You cannot have a former employee retain access (certificates expire)
- You cannot be phished for your SSH key (it’s hardware-bound)
This is security by elimination. Instead of adding more layers of defense, the architecture removes entire classes of vulnerabilities from the possibility space.
The traditional approach is to build higher walls and sharper detection. But the most secure system is one where the attack simply cannot be executed—not because it’s hard, but because the preconditions don’t exist.
“Zero Keys on Disk. 100% Hardware-Enforced. Ephemeral by Design.”
Why this matters: We’ve been conditioned to think of security as additive—more tools, more controls, more complexity. But the best security is subtractive: removing attack surface, eliminating persistent credentials, and making the architecture inherently resistant to entire threat categories.
The Future Is Already Here—It’s Just Unevenly Distributed
Sentinel-SSH isn’t theoretical—it’s a working proof of concept that you can deploy today. It combines commodity hardware (YubiKey 5 series), open-source tools (Vault, Terraform), and battle-tested protocols (SSH certificates, PIV smart cards) into something that feels like it shouldn’t be possible.
The question isn’t whether this approach is better—it objectively eliminates entire vulnerability classes. The question is: why aren’t we all doing this already?
Perhaps because it requires us to fundamentally rethink assumptions we’ve held for decades. Perhaps because it’s unfamiliar and unfamiliarity feels like risk. Or perhaps because we haven’t been shown that there’s a better way.
Now you know there is.
See It for Yourself
Want to explore the implementation details, review the Terraform code, or deploy this architecture in your own environment? The complete source code, configuration examples, and step-by-step setup guide are available in the Heimdall-SSH GitHub repository.
Clone it. Break it. Improve it. And when you’re done marveling at what’s possible, ask yourself: What other fundamental assumptions about security are just waiting to be challenged?
The future of infrastructure access is hardware-backed, ephemeral, and impossible to phish. The only question is when you’ll make the jump.