Feature request: a good way to supply short-lived certificates to openssh

Darren Tucker dtucker at dtucker.net
Tue Mar 7 09:09:17 AEDT 2023

On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote:
> ssh_config contains a Match ... exec [command to refresh the certificate].  This sort of works,
> except that it runs the command far too frequently.  For example, ssh -O exit [name] refreshes
> the certificate, and it should not do so.

You can have the command check if the cert is expired or near expired
before refreshing it.  I've done this in the past with expiring

> This would be more useful if ssh could _start_ the agent.

This is difficult because ssh relies on $SSH_AUTH_SOCK in its
environment to find the agent's socket.

In normal use, the way this works is usually one of:
 -  the agent is started before the shell (eg by a desktop
environment), the shell inherits SSH_AUTH_SOCK from the window manager
or equivalent and ssh inherits it from the shell.
 -  the agent starts the command, which inherits SSH_AUTH_SOCK
directly from the agent
 - the agent outputs SSH_AUTH_SOCK on stdout for the shell to parse
(this is why you need to eval it, otherwise the agent has no way of
setting SSH_AUTH_SOCK in its parent shell).

Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list