openssh unix dev - Feb 2017 - ssh-agent check for new fresh certificate (and key)? worthwhile doing?

Damien Miller wrote:
> On Thu, 2 Feb 2017, Adam Eijdenberg wrote:
> 
>> On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm at
mindrot.org> wrote:
>>> On Thu, 2 Feb 2017, Adam Eijdenberg wrote:
>>>> I guess a case could be made for ssh-add to always set a
timeout when
>>>> adding a certificate with an expiry time, but I think for now
I'm
>>>> happy enough to do that on our end.
>>>
>>> That sounds like a fine idea.
>>
>> Damien, to clarify did you mean it would be a fine idea to submit a
>> patch to ssh-add to do so? (or a fine idea to leave it it alone and
>> handle externally)
> 
> It's a fine idea for a feature - even just filing it on bugzilla would
be
> good.
I'm also thinking about how to raise the security bar of SSH keys.

Would it be feasible to implement a SSH key agent which automagically generates
a new key
pair (e.g. when triggered by ssh-add or cert is expired) and sends the public
key to a
SSH signing service (authenticating the user with stronger authc mechs like 2FA)
which
returns the short-term SSH public-key cert? This would also make it possible to
automatically add the "from=" key options because the SSH client's
IP address is known.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170202/0b65d479/attachment.bin>

On Thu, Feb 2, 2017 at 8:30 PM, Michael Str?der <michael at stroeder.com>
wrote:
> Would it be feasible to implement a SSH key agent which automagically
generates a new key
> pair (e.g. when triggered by ssh-add or cert is expired) and sends the
public key to a
> SSH signing service (authenticating the user with stronger authc mechs like
2FA) which
> returns the short-term SSH public-key cert? This would also make it
possible to
> automatically add the "from=" key options because the SSH
client's IP address is known.
Hi Michael,

That pretty much describes what we're doing with one of my customers,
with SSO to Google Apps (which in turn enforces 2FA etc), and I know
we aren't the only ones doing it. Once a day our users run a command:

$ updatecerts
Please click the "Allow" button in your browser to authorize our SSO
tool.
2017/02/02 21:34:44 Authorization code received.
2017/02/02 21:34:44 Exchanging authorization code for long-lived credentials.
2017/02/02 21:34:45 Received long-lived credentials.
2017/02/02 21:34:46 Have valid ID token
2017/02/02 21:34:46 Generating new private key.
2017/02/02 21:34:46 Requesting fresh certificates...
2017/02/02 21:34:47 Received new certificates from server.
2017/02/02 21:34:47 Writing new private key.
2017/02/02 21:34:47 Installing new certificate.
2017/02/02 21:34:47 SSH_AUTH_SOCK detected, adding certificate to ssh-agent.
2017/02/02 21:34:47 Certificate will be added with TTL of 86400 seconds.

The company I did this work for (Androgogic) were kind enough to let
me open-source it, so you can find the server and client here:
https://github.com/continusec/geecert

I think Teleport also do something similar:
http://gravitational.com/teleport/

Facebook describe similar here too:
https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/

Cheers, Adam

On 2017-02-02 11:49, Adam Eijdenberg wrote:
> On Thu, Feb 2, 2017 at 8:30 PM, Michael Str?der <michael at
stroeder.com>
> wrote:
>> Would it be feasible to implement a SSH key agent which automagically 
>> generates a new key
>> pair (e.g. when triggered by ssh-add or cert is expired) and sends the 
>> public key to a
>> SSH signing service (authenticating the user with stronger authc mechs 
>> like 2FA) which
>> returns the short-term SSH public-key cert? This would also make it 
>> possible to
>> automatically add the "from=" key options because the SSH
client's IP
>> address is known.
> 
> That pretty much describes what we're doing with one of my customers,
> with SSO to Google Apps (which in turn enforces 2FA etc), and I know
> we aren't the only ones doing it. Once a day our users run a command:
> 
> $ updatecerts
> Please click the "Allow" button in your browser to authorize our
SSO
> tool.
> [..]
> 2017/02/02 21:34:47 SSH_AUTH_SOCK detected, adding certificate to 
> ssh-agent.
Yes, I've already glanced over your github repo.

I was rather thinking about integrating the whole thing into a custom 
SSO SSH key agent.
Hmm, one could even skip the ssh-add and integrate it into a wrapper 
script when invoking ssh client.

Thanks for the additional links.

Ciao, Michael.