[Bug 2675] New: When adding certificates to ssh-agent, use expiry date as upper bound for lifetime

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Feb 2 21:13:58 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2675

            Bug ID: 2675
           Summary: When adding certificates to ssh-agent, use expiry date
                    as upper bound for lifetime
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-add
          Assignee: unassigned-bugs at mindrot.org
          Reporter: adam at continusec.com

Created attachment 2935
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2935&action=edit
First cut of patch

For users that regularly receive new short-lived certificates, it is
useful to be able to add these to ssh-agent without the list of
identities continually growing.

Since ssh-add already supports a lifetime parameter, suggest changing
behaviour of ssh-add such that we always use the expiry date in the
certificate as an upper bound for the lifetime.

Sample usage:

$ ssh-add ~/.ssh/id_androgogic_shortlived_rsa
Set lifetime to 74594 to match certificate expiry time.
Identity added: /Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa
(/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa)
Lifetime set to 74594 seconds
Certificate added:
/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub
(adam/androbot (for adam.eijdenberg at androgogic.com))
Lifetime set to 74594 seconds

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list