I might have a thinking fault: To secure my ssh keys, I would like to keep them on the server inside the HSM. So I wonder how I need to setup ssh on the client to get remote connected to the server?
As the private key is only inside the (server) HSM, the client could only obtain the public key. Is there any trick ( e.g. ssh-agent ) that this scenario could work ?
Second case would be: ONE client has also an NK pro and the public key is registered on the server with HSM. From there all other clients and servers could be reached with the key pair stored in the HSM and ssh-agent running on the server.
I think the second scenario will work, but will need two HW tokens. Also the client’*s HW token could be used to connect to all other machines direct. So what are the use-cases for the second scenario ?
( Maybe somebody could share a usual practice )