Andy Lutomirski
2023-Mar-06 18:16 UTC
Feature request: a good way to supply short-lived certificates to openssh
Some systems like to have a CA supply short-lived certificates to ssh clients. The basic idea is that servers enable certificate authentication, clients authenticate to the CA out of band, and the CA issues client certificates that are valid for a short enough time that users don't want to manually drop them into ~/.ssh or otherwise think about them. There are a handful of commercial examples, and it's also pretty straightforward to implement this manually. As far as I an tell, ssh and ssh_config don't have a great way to handle this usage model. Various kludges and solutions that sort of work include: User runs a command to get the certificate, and the command puts the certificate somewhere that matches the CertificateFile. If the user forgets to run the command, they fail to authenticate and have to do it manually. ssh_config contains a Match ... exec [command to refresh the certificate]. This sort of works, except that it runs the command far too frequently. For example, ssh -O exit [name] refreshes the certificate, and it should not do so. IdentityAgent could point to a custom agent. This would be more useful if ssh could _start_ the agent. In any case, this requires an agent, which is more complex than a tool that refreshes a certificate. PKCS11Provider doesn't seem useful. ProxyCommand could specify a command that refreshes the certificate. Cloudflare recommended this at one point, and it worked about as poorly as might be expected. (That is, very poorly indeed.) So my feature request: a way to do this for real. Here are a couple of ideas: PreAuthCommand: runs a command before reading any files associated with authentication. (This especially means that the command runs, and completes, before opening the CertificateFile.) CertificateCommand: runs a command that outputs a certificate or perhaps just a CertificateFile directive. I'm sure there are more ways to make this better, hence this feature request. Thanks, Andy
Darren Tucker
2023-Mar-06 22:09 UTC
Feature request: a good way to supply short-lived certificates to openssh
On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote: [...]> ssh_config contains a Match ... exec [command to refresh the certificate]. This sort of works, > except that it runs the command far too frequently. For example, ssh -O exit [name] refreshes > the certificate, and it should not do so.You can have the command check if the cert is expired or near expired before refreshing it. I've done this in the past with expiring certificates.> This would be more useful if ssh could _start_ the agent.This is difficult because ssh relies on $SSH_AUTH_SOCK in its environment to find the agent's socket. In normal use, the way this works is usually one of: - the agent is started before the shell (eg by a desktop environment), the shell inherits SSH_AUTH_SOCK from the window manager or equivalent and ssh inherits it from the shell. - the agent starts the command, which inherits SSH_AUTH_SOCK directly from the agent - the agent outputs SSH_AUTH_SOCK on stdout for the shell to parse (this is why you need to eval it, otherwise the agent has no way of setting SSH_AUTH_SOCK in its parent shell). -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Possibly Parallel Threads
- Feature request: a good way to supply short-lived certificates to openssh
- Feature request: a good way to supply short-lived certificates to openssh
- Feature request: a good way to supply short-lived certificates to openssh
- How to get "Enter passphrase" on command line rather than GUI pop-up?
- [Bug 3652] New: KnownHostsCommand should expand tokens and environment variables on first argument