ssh-agent check for new fresh certificate (and key)? worthwhile doing?

Adam Eijdenberg adam at continusec.com
Wed Feb 1 21:40:56 AEDT 2017


As background, for one of my clients we built out a command line tool
which does SSO with Google Apps, then generates a new SSH key pair,
and sends this off to an internal service which verifies the request
and then issues a new short lived (24 hour) certificate (if interested
the code for the server and client is open-sourced here:
https://github.com/continusec/geecert), overwriting the previous
certificate and private key.

Some of our users like to use SSH agent forwarding, and while this
generally works fine, when our users run their daily command to get a
new certificate, their ssh-agent still holds the old one.

Would it be reasonable to write a patch to ssh-agent to that changed
its behavior to:

Check whether a certificate it is going to use is expired (or close to
it, or maybe just changed on disk), and if so, check if there is a new
certificate at the same location, and if so, drop the current
certificate / private key, and replace with the new certificate
private key?

Alternatively I could change our daily command to check if ssh-agent
is running with the cert there, and ask it to add a new one (and
somehow clean out the old one), but since I'm a glutton for
punishment, I thought I'd ask here whether a more general solution is
likely to be accepted if I submitted a patch along those lines.


More information about the openssh-unix-dev mailing list