openssh unix dev - Feb 2017 - ssh-agent check for new fresh certificate (and key)? worthwhile doing?

On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm at mindrot.org>
wrote:
> On Thu, 2 Feb 2017, Adam Eijdenberg wrote:
> > I guess a case could be made for ssh-add to always set a timeout when
> > adding a certificate with an expiry time, but I think for now I'm
> > happy enough to do that on our end.
>
> That sounds like a fine idea.
Damien, to clarify did you mean it would be a fine idea to submit a
patch to ssh-add to do so? (or a fine idea to leave it it alone and
handle externally)

On Thu, 2 Feb 2017, Adam Eijdenberg wrote:
> On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm at mindrot.org>
wrote:
> > On Thu, 2 Feb 2017, Adam Eijdenberg wrote:
> > > I guess a case could be made for ssh-add to always set a timeout
when
> > > adding a certificate with an expiry time, but I think for now
I'm
> > > happy enough to do that on our end.
> >
> > That sounds like a fine idea.
> 
> Damien, to clarify did you mean it would be a fine idea to submit a
> patch to ssh-add to do so? (or a fine idea to leave it it alone and
> handle externally)
It's a fine idea for a feature - even just filing it on bugzilla would be
good.

-d

Damien Miller wrote:
> On Thu, 2 Feb 2017, Adam Eijdenberg wrote:
> 
>> On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm at
mindrot.org> wrote:
>>> On Thu, 2 Feb 2017, Adam Eijdenberg wrote:
>>>> I guess a case could be made for ssh-add to always set a
timeout when
>>>> adding a certificate with an expiry time, but I think for now
I'm
>>>> happy enough to do that on our end.
>>>
>>> That sounds like a fine idea.
>>
>> Damien, to clarify did you mean it would be a fine idea to submit a
>> patch to ssh-add to do so? (or a fine idea to leave it it alone and
>> handle externally)
> 
> It's a fine idea for a feature - even just filing it on bugzilla would
be
> good.
I'm also thinking about how to raise the security bar of SSH keys.

Would it be feasible to implement a SSH key agent which automagically generates
a new key
pair (e.g. when triggered by ssh-add or cert is expired) and sends the public
key to a
SSH signing service (authenticating the user with stronger authc mechs like 2FA)
which
returns the short-term SSH public-key cert? This would also make it possible to
automatically add the "from=" key options because the SSH client's
IP address is known.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170202/0b65d479/attachment.bin>

On Thu, Feb 2, 2017 at 2:48 PM, Damien Miller <djm at mindrot.org>
wrote:
>> > On Thu, 2 Feb 2017, Adam Eijdenberg wrote:
>> > > I guess a case could be made for ssh-add to always set a
timeout when
>> > > adding a certificate with an expiry time, but I think for now
I'm
>> > > happy enough to do that on our end.
> It's a fine idea for a feature - even just filing it on bugzilla would
be
> good.
Bug filed with first cut at patch for ssh-add here:
https://bugzilla.mindrot.org/show_bug.cgi?id=2675

Although after this thread and an offline chat with Peter, it became
clear that for our use-case we may not actually need to write the key
or certificate to disk at all*, and can just feed them straight to
ssh-agent (which was very easy to do with the Golang libraries).
Really appreciate all the great suggestions and support in this forum.

* Modulo Windows users. Sigh.