Feature request: a good way to supply short-lived certificates to openssh
Brian Candler
b.candler at pobox.com
Wed Mar 8 00:00:22 AEDT 2023
This is the approach I take:
- generate a private key and certificate and stuff them into ssh-agent
- set the label in ssh-agent to something that identifies the key+cert,
and the ssh-agent expiry time to be the same as the certificate expiry
time, or slightly less
- each time you make an ssh connection, query the agent to see if
there's the expected key+cert, and generate a new one if not
I'm using Hashicorp Vault to generate the certs, and I wrote this code
for the client side:
https://github.com/candlerb/vault-ssh-agent-login
It skips the cert generation if there appears to be a valid cert already
in the agent.
I invoke this via a wrapper script (below). I haven't looked into
hooking it directly into ssh_config (which is what this thread was
originally about).
#!/bin/bash -eu
export VAULT_ADDR="https://vault.example.net:8200"
case "${1:-}" in
"-force") OPT="-force"; shift ;;
"") OPT="" ;;
*) OPT="-quiet" ;;
esac
vault-ssh-agent-login -role=my_ssh_role \
-valid-principals="brian,ubuntu" \
-auth-method=oidc -auth-path=google $OPT
[ $# -gt 0 ] && exec ssh "$@"
More information about the openssh-unix-dev
mailing list