openssh bugs - Feb 2017 - [Bug 2675] New: When adding certificates to ssh-agent, use expiry date as upper bound for lifetime

https://bugzilla.mindrot.org/show_bug.cgi?id=2675

            Bug ID: 2675
           Summary: When adding certificates to ssh-agent, use expiry date
                    as upper bound for lifetime
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-add
          Assignee: unassigned-bugs at mindrot.org
          Reporter: adam at continusec.com

Created attachment 2935
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2935&action=edit
First cut of patch

For users that regularly receive new short-lived certificates, it is
useful to be able to add these to ssh-agent without the list of
identities continually growing.

Since ssh-add already supports a lifetime parameter, suggest changing
behaviour of ssh-add such that we always use the expiry date in the
certificate as an upper bound for the lifetime.

Sample usage:

$ ssh-add ~/.ssh/id_androgogic_shortlived_rsa
Set lifetime to 74594 to match certificate expiry time.
Identity added: /Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa
(/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa)
Lifetime set to 74594 seconds
Certificate added:
/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub
(adam/androbot (for adam.eijdenberg at androgogic.com))
Lifetime set to 74594 seconds

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2675

Adam Eijdenberg <adam at continusec.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2935|0                           |1
        is obsolete|                            |

--- Comment #1 from Adam Eijdenberg <adam at continusec.com> ---
Created attachment 2936
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2936&action=edit
Patch with correct content type set

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2675

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2936|0                           |1
        is obsolete|                            |
                 CC|                            |djm at mindrot.org

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 3085
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3085&action=edit
automatically set lifetimes, add -C, -f and -v options

This attempts the same thing a little differently.

This only looks at the valid_before time - I don't think it is helpful
to warn if the certificate isn't yet valid as adding a cert that starts
a few seconds in the future seems like a pretty common thing to do.
Maybe it could be a debug message?

I also added a short grace period for expiring certificates, a way to
override the helpfulness (-f), more nuanced error checking (e.g. not
skipping loading a key if the cert was expired), a -C flag to only load
certs and a verbose (-v) flag to get at the new debug messages.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.