Deploying Duo to many Mac and Linux systems. There is pervasive use of SSH in the environment, much of it automated by using SSH keys as one would expect.
I would treat the keys as “untrusted” since they are currently completely user managed. Switching to trusted auth, I’d use AD as the first factor, and Duo as the second. This ensures a quick cleanup of a newly departing user without having to go back and sweep up keys.
The issue with this is that it pretty much breaks automation.
What are folks doing (outside of kerberos) to make SSH behave sort of like an SSO login? What I’d like to see is a capability to log in with AD/Duo once and have that session live for x number of hours before requiring re-authentication. This I think would be a good middle ground to support automation within reason and still keep it manageable from a security/risk perspective.