add keys and certificate to forwarded agent on remote host

Rory Campbell-Lange rory at campbell-lange.net
Mon Sep 17 23:13:19 AEST 2018


Apologies if this post is inappropriate to this list; please redirect me
if so.

Our team uses ssh extensively for server access and maintenance
(Debian). An issue is acting as root when operating, for example, over
ansible and keeping a record of who performed the actions, something ssh
certificates solves well. 

The problem is then to automate certificate issuance since it would be
pretty arduous for someone to keep issuing short-lived user
certificates.

I was intrigued to read Uber's ussh announcement page and wondered if
this suggests a route for doing so:
(https://medium.com/uber-security-privacy/introducing-the-uber-ssh-certificate-authority-4f840839c5cc)

    An employee gets a ussh certificate when they run the ussh command.
    This connects to the USSHCA, performs the pam conversation and
    forwards the client’s ssh agent to the CA. If the client
    successfully authenticates, the CA generates a new ssh key,
    populates the associated cert with the configured information
    (validity period, the user it’s valid for, the options permitted,
    etc.) and adds both the key and the certificate to the remote agent.
    The certificates are added to the agent with a timeout telling the
    agent to remove the keys when the certificate expires.

Assuming we write a program to generate a new key pair and associated
user certificate, how would one go about adding this to a forwarded
agent on the remote server hosting the program? Can ssh-add work on the
remote socket file? Is such an operation advisable?

Apologies for this rather naive questions, and also if I'm covering
well-worn territory.

Thanks
Rory




More information about the openssh-unix-dev mailing list