Adam Eijdenberg
2017-Feb-01  22:08 UTC
ssh-agent check for new fresh certificate (and key)? worthwhile doing?
On Thu, Feb 2, 2017 at 1:16 AM, Peter Moody <mindrot at hda3.com> wrote:> why not add the certificate to the running ssh-agent with a timeout > that expires when the cert does?That's an excellent idea. I've modified our tooling to do exactly that (https://github.com/continusec/geecert/commit/dfeee14b278e28d15bf532bb6e6e8ffe530e6b11). Thank you for the suggestion.> I don't think ssh-agent exposes a "how long until this key expires" > api, but you can at least use this method to see if the cert/key are > *on* the agent and you can assume that if they're on the agent, then > they're valid.I guess a case could be made for ssh-add to always set a timeout when adding a certificate with an expiry time, but I think for now I'm happy enough to do that on our end.
Damien Miller
2017-Feb-01  23:42 UTC
ssh-agent check for new fresh certificate (and key)? worthwhile doing?
On Thu, 2 Feb 2017, Adam Eijdenberg wrote:> > I don't think ssh-agent exposes a "how long until this key expires" > > api, but you can at least use this method to see if the cert/key are > > *on* the agent and you can assume that if they're on the agent, then > > they're valid. > > I guess a case could be made for ssh-add to always set a timeout when > adding a certificate with an expiry time, but I think for now I'm > happy enough to do that on our end.That sounds like a fine idea. -d
Adam Eijdenberg
2017-Feb-02  00:08 UTC
ssh-agent check for new fresh certificate (and key)? worthwhile doing?
On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm at mindrot.org> wrote:> On Thu, 2 Feb 2017, Adam Eijdenberg wrote: > > I guess a case could be made for ssh-add to always set a timeout when > > adding a certificate with an expiry time, but I think for now I'm > > happy enough to do that on our end. > > That sounds like a fine idea.Damien, to clarify did you mean it would be a fine idea to submit a patch to ssh-add to do so? (or a fine idea to leave it it alone and handle externally)