bugzilla-daemon at bugzilla.mindrot.org
2017-Feb-02 10:13 UTC
[Bug 2675] New: When adding certificates to ssh-agent, use expiry date as upper bound for lifetime
https://bugzilla.mindrot.org/show_bug.cgi?id=2675 Bug ID: 2675 Summary: When adding certificates to ssh-agent, use expiry date as upper bound for lifetime Product: Portable OpenSSH Version: 7.4p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh-add Assignee: unassigned-bugs at mindrot.org Reporter: adam at continusec.com Created attachment 2935 --> https://bugzilla.mindrot.org/attachment.cgi?id=2935&action=edit First cut of patch For users that regularly receive new short-lived certificates, it is useful to be able to add these to ssh-agent without the list of identities continually growing. Since ssh-add already supports a lifetime parameter, suggest changing behaviour of ssh-add such that we always use the expiry date in the certificate as an upper bound for the lifetime. Sample usage: $ ssh-add ~/.ssh/id_androgogic_shortlived_rsa Set lifetime to 74594 to match certificate expiry time. Identity added: /Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa (/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa) Lifetime set to 74594 seconds Certificate added: /Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub (adam/androbot (for adam.eijdenberg at androgogic.com)) Lifetime set to 74594 seconds -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Feb-02 10:15 UTC
[Bug 2675] When adding certificates to ssh-agent, use expiry date as upper bound for lifetime
https://bugzilla.mindrot.org/show_bug.cgi?id=2675 Adam Eijdenberg <adam at continusec.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2935|0 |1 is obsolete| | --- Comment #1 from Adam Eijdenberg <adam at continusec.com> --- Created attachment 2936 --> https://bugzilla.mindrot.org/attachment.cgi?id=2936&action=edit Patch with correct content type set -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Nov-03 05:01 UTC
[Bug 2675] When adding certificates to ssh-agent, use expiry date as upper bound for lifetime
https://bugzilla.mindrot.org/show_bug.cgi?id=2675 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2936|0 |1 is obsolete| | CC| |djm at mindrot.org --- Comment #2 from Damien Miller <djm at mindrot.org> --- Created attachment 3085 --> https://bugzilla.mindrot.org/attachment.cgi?id=3085&action=edit automatically set lifetimes, add -C, -f and -v options This attempts the same thing a little differently. This only looks at the valid_before time - I don't think it is helpful to warn if the certificate isn't yet valid as adding a cert that starts a few seconds in the future seems like a pretty common thing to do. Maybe it could be a debug message? I also added a short grace period for expiring certificates, a way to override the helpfulness (-f), more nuanced error checking (e.g. not skipping loading a key if the cert was expired), a -C flag to only load certs and a verbose (-v) flag to get at the new debug messages. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 2617] New: sign_and_send_pubkey: no separate private key for certificate
- Golang CertChecker hostname validation differs to OpenSSH
- Golang CertChecker hostname validation differs to OpenSSH
- ssh-agent check for new fresh certificate (and key)? worthwhile doing?
- ssh-agent check for new fresh certificate (and key)? worthwhile doing?