Feature request: a good way to supply short-lived certificates to openssh

Rory Campbell-Lange rory at campbell-lange.net
Thu Mar 9 19:35:17 AEDT 2023

On 07/03/23, Andy Lutomirski (luto at kernel.org) wrote:
> On Tue, Mar 7, 2023, at 3:25 AM, Rory Campbell-Lange wrote:
> > On 07/03/23, Darren Tucker (dtucker at dtucker.net) wrote:
> >> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote:
> >> [...]
> >> > ssh_config contains a Match ... exec [command to refresh the certificate].
> >> > This sort of works, except that it runs the command far too frequently.
> >> > For example, ssh -O exit [name] refreshes the certificate, and it should
> >> > not do so.
> >> 
> >> You can have the command check if the cert is expired or near expired
> >> before refreshing it.  I've done this in the past with expiring
> >> certificates.

I've put up a tool called `lsagentcerts` at
https://github.com/rorycl/lsagentcerts -- let me know if is helpful. I'm not sure the operation is quite right and the output is clunky. I should probably put the key signatures in the output...

> > I'd be grateful to Andy if he explained what sort of command he runs to 
> > refresh certificates. I understood most refresh arrangements to involve 
> > OAuth2.
> The actual setup I'm using is:
> Host myhost
> 	Match host myhost exec "cloudflared access ssh-gen --hostname myhost.domain"
> 	ProxyCommand cloudflared access ssh --hostname myhost.domain
> 	IdentityFile ~/.cloudflared/blahblah
> 	CertificateFile ~/.cloudflared/blahblah.pub
> cloudflared is this thing (open source!):
> https://github.com/cloudflare/cloudflared

I hadn't heard of this. Cool. 

> There are two pieces of magic here.  One is the "couldflared access ssh-gen" command.  It's annoyingly slow (which could be fixed, presumably), and it refreshes the certificates in ~/.cloudflared, using (I presume -- haven't checked) OAuth2 behind the scenes.  The other is the ProxyCommand, which, as I've configured it, is just a proxy.

A quick glance suggests (at "handleCertificateGeneration", which takes a JWT and uses it build a signPayload https://github.com/cloudflare/cloudflared/blob/bf3136debbe0d847dd0e27c8e91eb21a7e4af73d/sshgen/sshgen.go#L74) that the slowness may be caused by Cloudflare's certificate signing process (in "SignCert").


> I think the most straightforward change to openssh would be to allow me to rewrite it as:
> Host myhost
> 	PreAuthCommand cloudflared access ssh-gen --hostname myhost.domain
> 	ProxyCommand cloudflared access ssh --hostname myhost.domain
> 	IdentityFile ~/.cloudflared/blahblah

Maybe something like this would work:

    Match host myhost exec "lsagentcerts -e 5s -t || \
            cloudflared access ssh-gen --hostname myhost.domain"
        ProxyCommand cloudflared access ssh --hostname myhost.domain
    Host myhost

"lsagentcerts -e 5s -t" stands for "expiring in 5 seconds, terse mode".


More information about the openssh-unix-dev mailing list