search for: preauthcommand

...is a kludge. On the one hand, it mostly works. On the other hand, it behaves poorly when doing anything other than just connecting. The case that bothers me the most is ssh -O command myhost. I think the most straightforward change to openssh would be to allow me to rewrite it as: Host myhost PreAuthCommand cloudflared access ssh-gen --hostname myhost.domain ProxyCommand cloudflared access ssh --hostname myhost.domain IdentityFile ~/.cloudflared/blahblah CertificateFile ~/.cloudflared/blahblah.pub ssh -O would not invoke the PreAuthCommand, and other ssh commands that don't need to authenticat...

On 07/03/23, Darren Tucker (dtucker at dtucker.net) wrote: > On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote: > [...] > > ssh_config contains a Match ... exec [command to refresh the certificate]. > > This sort of works, except that it runs the command far too frequently. > > For example, ssh -O exit [name] refreshes the certificate, and it

...n't seem useful. ProxyCommand could specify a command that refreshes the certificate. Cloudflare recommended this at one point, and it worked about as poorly as might be expected. (That is, very poorly indeed.) So my feature request: a way to do this for real. Here are a couple of ideas: PreAuthCommand: runs a command before reading any files associated with authentication. (This especially means that the command runs, and completes, before opening the CertificateFile.) CertificateCommand: runs a command that outputs a certificate or perhaps just a CertificateFile directive. I'm sure there...