andreaso · andreaso · Apr 1, 2024 · Apr 1, 2024 · Apr 1, 2024
diff --git a/README.md b/README.md
@@ -9,7 +9,7 @@ certificate from it.
 
 ```yaml
 jobs:
-  build:
+  deploy:
     permissions:
       contents: read
       id-token: write
@@ -30,11 +30,11 @@ jobs:
       - name: Deploy site
         if: github.ref == 'refs/heads/main'
         run: >
-          rsync -e "ssh -i '$SSH_CERT_PATH'"
+          rsync -e "ssh -i '$SSH_KEY_PATH'"
           --verbose --recursive --delete-after --perms --chmod=D755,F644
           build/ [email protected]:/var/www/site/
         env:
-          SSH_CERT_PATH: ${{ steps.ssh_cert.outputs.key_path }}
+          SSH_KEY_PATH: ${{ steps.ssh_cert.outputs.key_path }}
 ```
 
 Do note that all client certification configuration is expected to
@@ -108,5 +108,30 @@ resource "vault_jwt_auth_backend_role" "example" {
 }
 ```
 
+```terraform
+output "ssh_ca" {
+  value = vault_ssh_secret_backend_ca.ssh_ca.public_key
+}
+```
+
+### OpenSSH
+
+```ssh-config
+# /etc/ssh/sshd_config
+# ...
+TrustedUserCAKeys /etc/ssh/sshd_user_ca.pub
+AuthorizedPrincipalsFile /etc/ssh/user_principals/%u
+```
+
+```text
+# /etc/ssh/sshd_user_ca.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...
+```
+
+```text
+# /etc/ssh/user_principals/deployer
+[email protected]
+```
+
 
 [1]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect