Darren Tucker
2023-Mar-06 22:09 UTC
Feature request: a good way to supply short-lived certificates to openssh
On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote: [...]> ssh_config contains a Match ... exec [command to refresh the certificate]. This sort of works, > except that it runs the command far too frequently. For example, ssh -O exit [name] refreshes > the certificate, and it should not do so.You can have the command check if the cert is expired or near expired before refreshing it. I've done this in the past with expiring certificates.> This would be more useful if ssh could _start_ the agent.This is difficult because ssh relies on $SSH_AUTH_SOCK in its environment to find the agent's socket. In normal use, the way this works is usually one of: - the agent is started before the shell (eg by a desktop environment), the shell inherits SSH_AUTH_SOCK from the window manager or equivalent and ssh inherits it from the shell. - the agent starts the command, which inherits SSH_AUTH_SOCK directly from the agent - the agent outputs SSH_AUTH_SOCK on stdout for the shell to parse (this is why you need to eval it, otherwise the agent has no way of setting SSH_AUTH_SOCK in its parent shell). -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Damien Miller
2023-Mar-06 22:53 UTC
Feature request: a good way to supply short-lived certificates to openssh
On Tue, 7 Mar 2023, Darren Tucker wrote:> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote: > [...] > > ssh_config contains a Match ... exec [command to refresh the certificate]. This sort of works, > > except that it runs the command far too frequently. For example, ssh -O exit [name] refreshes > > the certificate, and it should not do so. > > You can have the command check if the cert is expired or near expired > before refreshing it. I've done this in the past with expiring > certificates. > > > This would be more useful if ssh could _start_ the agent. > > This is difficult because ssh relies on $SSH_AUTH_SOCK in its > environment to find the agent's socket.You could probably rig something up using a fixed agent socket path. E.g. IdentityAgent ~/.ssh/.agent-sock Match !canonical exec "check-and-start-agent.sh" # Will start agent at ~/.ssh/.agent-sock if not already running. The agent socket is AFAIK only opened after configuration processing completes, so this should work. It might also be possible to skip the Match block using some socket activation trick. -d
Andy Lutomirski
2023-Mar-06 23:22 UTC
Feature request: a good way to supply short-lived certificates to openssh
On Mon, Mar 6, 2023, at 2:09 PM, Darren Tucker wrote:> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote: > [...] >> ssh_config contains a Match ... exec [command to refresh the certificate]. This sort of works, >> except that it runs the command far too frequently. For example, ssh -O exit [name] refreshes >> the certificate, and it should not do so. > > You can have the command check if the cert is expired or near expired > before refreshing it. I've done this in the past with expiring > certificates.True, but that doesn't help with the -O exit use case. And it's really quite silly for any configuration using ControlMaster -- I don't want my certificates renewed when I'm joining an existing ControlMaster question. So I still think that openssh doesn't have a great mechanism more this, and I think my feature request still makes sense.
Rory Campbell-Lange
2023-Mar-07 11:25 UTC
Feature request: a good way to supply short-lived certificates to openssh
On 07/03/23, Darren Tucker (dtucker at dtucker.net) wrote:> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote: > [...] > > ssh_config contains a Match ... exec [command to refresh the certificate]. > > This sort of works, except that it runs the command far too frequently. > > For example, ssh -O exit [name] refreshes the certificate, and it should > > not do so. > > You can have the command check if the cert is expired or near expired > before refreshing it. I've done this in the past with expiring > certificates.I was intrigued by Darren's note about a command to check certificate expiry. I've put together a quick POC in go to list expiring certificates: https://gist.github.com/rorycl/d194243c61b349021935c97f751a931e Output is something like: 0 key ssh-ed25519 : is not a certificate 1 key ssh-ed25519-cert-v01 at openssh.com comment: acmeinc_briony_from:2023-03-07T08:18_to:2023-03-07T11:18UTC validity: 2023-03-07 08:37:23 GMT to 2023-03-07 11:37:23 GMT expiring in 60m? true I'd be grateful to Andy if he explained what sort of command he runs to refresh certificates. I understood most refresh arrangements to involve OAuth2. Rory
Possibly Parallel Threads
- Feature request: a good way to supply short-lived certificates to openssh
- Feature request: a good way to supply short-lived certificates to openssh
- Feature request: a good way to supply short-lived certificates to openssh
- Signed SSH key issue with OpenSSH6.4p1
- [Bug 2617] New: sign_and_send_pubkey: no separate private key for certificate