[Bug 2436] Add ssh option to present certificates on command line
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Sep 4 22:21:29 AEST 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2436
--- Comment #2 from David Gervais <dgervais at gmail.com> ---
We plan to use multiple certificates where a centralize authentication
and authorization service will provide limited-use ssh certificate
endorsements on user's ssh keys to uniquely access servers in our
network (currently consisting of ~200000+ servers). In this model
(which plans to replace our existing ssh proxy model), users will need
to juggle many certificates spanning each access attempt and even each
command they would like to run remotely. Having the functionality to
select a certificate within ssh itself will be amazingly helpful.
We have an ssh-certificate-agent application that can be used to
provide this functionality now by proxying the communication from ssh
to the ssh-agent where the ssh-certificate-agent can load the public
certificate and can delegate signing to the ssh-agent though this is
not an optimal solution. A patch for the ssh-certificate-agent (also
authored by mebhat) attached if interested.
With respect to using a command line option of -z, what would the
alternative be? The other potential solution I could envision would be
to overload the use of -i and if the provided argument ends with
-cert.pub, then we treat it as we do when parsing arguments from -z? I
think I would prefer isolating the behavior to a separate option,
though completely open to other alternatives.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list