ssh-agent check for new fresh certificate (and key)? worthwhile doing?

Michael Ströder michael at stroeder.com
Thu Feb 2 20:30:50 AEDT 2017


Damien Miller wrote:
> On Thu, 2 Feb 2017, Adam Eijdenberg wrote:
> 
>> On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm at mindrot.org> wrote:
>>> On Thu, 2 Feb 2017, Adam Eijdenberg wrote:
>>>> I guess a case could be made for ssh-add to always set a timeout when
>>>> adding a certificate with an expiry time, but I think for now I'm
>>>> happy enough to do that on our end.
>>>
>>> That sounds like a fine idea.
>>
>> Damien, to clarify did you mean it would be a fine idea to submit a
>> patch to ssh-add to do so? (or a fine idea to leave it it alone and
>> handle externally)
> 
> It's a fine idea for a feature - even just filing it on bugzilla would be
> good.

I'm also thinking about how to raise the security bar of SSH keys.

Would it be feasible to implement a SSH key agent which automagically generates a new key
pair (e.g. when triggered by ssh-add or cert is expired) and sends the public key to a
SSH signing service (authenticating the user with stronger authc mechs like 2FA) which
returns the short-term SSH public-key cert? This would also make it possible to
automatically add the "from=" key options because the SSH client's IP address is known.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170202/0b65d479/attachment.bin>


More information about the openssh-unix-dev mailing list