Feature request: a good way to supply short-lived certificates to openssh
Andy Lutomirski
luto at kernel.org
Tue Mar 7 10:22:24 AEDT 2023
On Mon, Mar 6, 2023, at 2:09 PM, Darren Tucker wrote:
> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote:
> [...]
>> ssh_config contains a Match ... exec [command to refresh the certificate]. This sort of works,
>> except that it runs the command far too frequently. For example, ssh -O exit [name] refreshes
>> the certificate, and it should not do so.
>
> You can have the command check if the cert is expired or near expired
> before refreshing it. I've done this in the past with expiring
> certificates.
True, but that doesn't help with the -O exit use case. And it's really quite silly for any configuration using ControlMaster -- I don't want my certificates renewed when I'm joining an existing ControlMaster question.
So I still think that openssh doesn't have a great mechanism more this, and I think my feature request still makes sense.
More information about the openssh-unix-dev
mailing list