ssh-agent check for new fresh certificate (and key)? worthwhile doing?
Michael Ströder
michael at stroeder.com
Thu Feb 2 22:01:09 AEDT 2017
On 2017-02-02 11:49, Adam Eijdenberg wrote:
> On Thu, Feb 2, 2017 at 8:30 PM, Michael Ströder <michael at stroeder.com>
> wrote:
>> Would it be feasible to implement a SSH key agent which automagically
>> generates a new key
>> pair (e.g. when triggered by ssh-add or cert is expired) and sends the
>> public key to a
>> SSH signing service (authenticating the user with stronger authc mechs
>> like 2FA) which
>> returns the short-term SSH public-key cert? This would also make it
>> possible to
>> automatically add the "from=" key options because the SSH client's IP
>> address is known.
>
> That pretty much describes what we're doing with one of my customers,
> with SSO to Google Apps (which in turn enforces 2FA etc), and I know
> we aren't the only ones doing it. Once a day our users run a command:
>
> $ updatecerts
> Please click the "Allow" button in your browser to authorize our SSO
> tool.
> [..]
> 2017/02/02 21:34:47 SSH_AUTH_SOCK detected, adding certificate to
> ssh-agent.
Yes, I've already glanced over your github repo.
I was rather thinking about integrating the whole thing into a custom
SSO SSH key agent.
Hmm, one could even skip the ssh-add and integrate it into a wrapper
script when invoking ssh client.
Thanks for the additional links.
Ciao, Michael.
More information about the openssh-unix-dev
mailing list