search for: rorycl

Displaying 8 results from an estimated 8 matches for "rorycl".

Did you mean: rorl
2023 Dec 08
1
Non-shell accounts and scp/sftp
...use by ssh, might it not be worth considering an ssh certificate signing authority? I've made the proof-of-concept noted below, which adds certificates to forwarded agents. It doesn't need shell accounts, but prsently requires ssh public keys to be added to a yaml file: https://github.com/rorycl/sshagentca Cheers, Rory
2020 Jun 16
2
client host certificates and receiving host configuration
I'm working on a small server written in Go to add short-lived user certificates to the forwarded agents of authorized users. https://github.com/rorycl/sshagentca This seems to work quite well for accessing sshd servers with the appropriately configured "TrustedUserCAKeys" directive. I have been in a debate about how similarly adding host certificates to forwarded agents could help mitigate man-in-the-middle attacks. This has raised a...
2023 Mar 07
2
Feature request: a good way to supply short-lived certificates to openssh
...rt is expired or near expired > before refreshing it. I've done this in the past with expiring > certificates. I was intrigued by Darren's note about a command to check certificate expiry. I've put together a quick POC in go to list expiring certificates: https://gist.github.com/rorycl/d194243c61b349021935c97f751a931e Output is something like: 0 key ssh-ed25519 : is not a certificate 1 key ssh-ed25519-cert-v01 at openssh.com comment: acmeinc_briony_from:2023-03-07T08:18_to:2023-03-07T11:18UTC validity: 2023-03-07 08:37:23 GMT to 2023-03-07 11:37:23 GMT...
2023 Mar 07
1
Feature request: a good way to supply short-lived certificates to openssh
...gt; before refreshing it. I've done this in the past with expiring >> certificates. > > I was intrigued by Darren's note about a command to check certificate > expiry. I've put together a quick POC in go to list expiring > certificates: > https://gist.github.com/rorycl/d194243c61b349021935c97f751a931e > > Output is something like: > > 0 key ssh-ed25519 : is not a certificate > 1 key ssh-ed25519-cert-v01 at openssh.com > comment: acmeinc_briony_from:2023-03-07T08:18_to:2023-03-07T11:18UTC > validity: 2023-03-07 08:37:2...
2023 Dec 07
3
Non-shell accounts and scp/sftp
Hi, We have a CLI that certain users get dropped into when they log in. One of the things they can go is generate certificates (actually .p12 key/certificate bundles) that they will then scp out of the box from another host. Problem is that if their default shell isn't sh, ash, dash, bash, zsh, etc. then things break. Is there a workaround to allow scp/sftp to continue to work even for
2023 Mar 06
3
Feature request: a good way to supply short-lived certificates to openssh
On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote: [...] > ssh_config contains a Match ... exec [command to refresh the certificate]. This sort of works, > except that it runs the command far too frequently. For example, ssh -O exit [name] refreshes > the certificate, and it should not do so. You can have the command check if the cert is expired or near
2020 Jun 23
4
SSH certificate and serverside ForceCommand
Hi, We're developing an open source project that uses SSH certificates. We issue short lived certificates (few minutes) to execute commands on behalf of users. We have a use case where we need to issue certificates with 10 days validity and store them, so we put a command inside them: ssh-keygen -s ca-key -I certN -n user -O force-command="wget something" -V +10d user-key.pub and
2024 Mar 08
3
PrivateKeyCommand config idea
G'day, In our infrastructure we're trying to be more diligent about switching to sk keys (and/or certs backed by sk keys.) However, there are some services like Gerrit and Jenkins which are written in java and I guess they will never support sk keys, or at least, it seems like it won't happen any time soon. For such services, typical practices at the moment include putting