Feature request: a good way to supply short-lived certificates to openssh

Andy Lutomirski luto at kernel.org
Tue Mar 7 10:22:24 AEDT 2023

On Mon, Mar 6, 2023, at 2:09 PM, Darren Tucker wrote:
> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote:
> [...]
>> ssh_config contains a Match ... exec [command to refresh the certificate].  This sort of works,
>> except that it runs the command far too frequently.  For example, ssh -O exit [name] refreshes
>> the certificate, and it should not do so.
> You can have the command check if the cert is expired or near expired
> before refreshing it.  I've done this in the past with expiring
> certificates.

True, but that doesn't help with the -O exit use case.  And it's really quite silly for any configuration using ControlMaster -- I don't want my certificates renewed when I'm joining an existing ControlMaster question.

So I still think that openssh doesn't have a great mechanism more this, and I think my feature request still makes sense.

More information about the openssh-unix-dev mailing list