Adam Eijdenberg
2017-Feb-02 00:08 UTC
ssh-agent check for new fresh certificate (and key)? worthwhile doing?
On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm at mindrot.org> wrote:> On Thu, 2 Feb 2017, Adam Eijdenberg wrote: > > I guess a case could be made for ssh-add to always set a timeout when > > adding a certificate with an expiry time, but I think for now I'm > > happy enough to do that on our end. > > That sounds like a fine idea.Damien, to clarify did you mean it would be a fine idea to submit a patch to ssh-add to do so? (or a fine idea to leave it it alone and handle externally)
Damien Miller
2017-Feb-02 03:48 UTC
ssh-agent check for new fresh certificate (and key)? worthwhile doing?
On Thu, 2 Feb 2017, Adam Eijdenberg wrote:> On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm at mindrot.org> wrote: > > On Thu, 2 Feb 2017, Adam Eijdenberg wrote: > > > I guess a case could be made for ssh-add to always set a timeout when > > > adding a certificate with an expiry time, but I think for now I'm > > > happy enough to do that on our end. > > > > That sounds like a fine idea. > > Damien, to clarify did you mean it would be a fine idea to submit a > patch to ssh-add to do so? (or a fine idea to leave it it alone and > handle externally)It's a fine idea for a feature - even just filing it on bugzilla would be good. -d
Michael Ströder
2017-Feb-02 09:30 UTC
ssh-agent check for new fresh certificate (and key)? worthwhile doing?
Damien Miller wrote:> On Thu, 2 Feb 2017, Adam Eijdenberg wrote: > >> On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm at mindrot.org> wrote: >>> On Thu, 2 Feb 2017, Adam Eijdenberg wrote: >>>> I guess a case could be made for ssh-add to always set a timeout when >>>> adding a certificate with an expiry time, but I think for now I'm >>>> happy enough to do that on our end. >>> >>> That sounds like a fine idea. >> >> Damien, to clarify did you mean it would be a fine idea to submit a >> patch to ssh-add to do so? (or a fine idea to leave it it alone and >> handle externally) > > It's a fine idea for a feature - even just filing it on bugzilla would be > good.I'm also thinking about how to raise the security bar of SSH keys. Would it be feasible to implement a SSH key agent which automagically generates a new key pair (e.g. when triggered by ssh-add or cert is expired) and sends the public key to a SSH signing service (authenticating the user with stronger authc mechs like 2FA) which returns the short-term SSH public-key cert? This would also make it possible to automatically add the "from=" key options because the SSH client's IP address is known. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170202/0b65d479/attachment.bin>
Adam Eijdenberg
2017-Feb-02 10:23 UTC
ssh-agent check for new fresh certificate (and key)? worthwhile doing?
On Thu, Feb 2, 2017 at 2:48 PM, Damien Miller <djm at mindrot.org> wrote:>> > On Thu, 2 Feb 2017, Adam Eijdenberg wrote: >> > > I guess a case could be made for ssh-add to always set a timeout when >> > > adding a certificate with an expiry time, but I think for now I'm >> > > happy enough to do that on our end. > It's a fine idea for a feature - even just filing it on bugzilla would be > good.Bug filed with first cut at patch for ssh-add here: https://bugzilla.mindrot.org/show_bug.cgi?id=2675 Although after this thread and an offline chat with Peter, it became clear that for our use-case we may not actually need to write the key or certificate to disk at all*, and can just feed them straight to ssh-agent (which was very easy to do with the Golang libraries). Really appreciate all the great suggestions and support in this forum. * Modulo Windows users. Sigh.
Maybe Matching Threads
- ssh-agent check for new fresh certificate (and key)? worthwhile doing?
- ssh-agent check for new fresh certificate (and key)? worthwhile doing?
- ssh-agent check for new fresh certificate (and key)? worthwhile doing?
- [Bug 2675] New: When adding certificates to ssh-agent, use expiry date as upper bound for lifetime
- 2.3.11.3 on 32bit platforms