Feature request: a good way to supply short-lived certificates to openssh

Brian Candler b.candler at pobox.com
Wed Mar 8 00:00:22 AEDT 2023

This is the approach I take:

- generate a private key and certificate and stuff them into ssh-agent

- set the label in ssh-agent to something that identifies the key+cert, 
and the ssh-agent expiry time to be the same as the certificate expiry 
time, or slightly less

- each time you make an ssh connection, query the agent to see if 
there's the expected key+cert, and generate a new one if not

I'm using Hashicorp Vault to generate the certs, and I wrote this code 
for the client side:


It skips the cert generation if there appears to be a valid cert already 
in the agent.

I invoke this via a wrapper script (below). I haven't looked into 
hooking it directly into ssh_config (which is what this thread was 
originally about).

#!/bin/bash -eu
export VAULT_ADDR="https://vault.example.net:8200"

case "${1:-}" in
"-force") OPT="-force"; shift ;;
"")       OPT="" ;;
*)        OPT="-quiet" ;;

vault-ssh-agent-login -role=my_ssh_role \
   -valid-principals="brian,ubuntu" \
   -auth-method=oidc -auth-path=google $OPT

[ $# -gt 0 ] && exec ssh "$@"

More information about the openssh-unix-dev mailing list