Feature request: a good way to supply short-lived certificates to openssh
Rory Campbell-Lange
rory at campbell-lange.net
Thu Mar 9 19:35:17 AEDT 2023
On 07/03/23, Andy Lutomirski (luto at kernel.org) wrote:
> On Tue, Mar 7, 2023, at 3:25 AM, Rory Campbell-Lange wrote:
> > On 07/03/23, Darren Tucker (dtucker at dtucker.net) wrote:
> >> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote:
> >> [...]
> >> > ssh_config contains a Match ... exec [command to refresh the certificate].
> >> > This sort of works, except that it runs the command far too frequently.
> >> > For example, ssh -O exit [name] refreshes the certificate, and it should
> >> > not do so.
> >>
> >> You can have the command check if the cert is expired or near expired
> >> before refreshing it. I've done this in the past with expiring
> >> certificates.
I've put up a tool called `lsagentcerts` at
https://github.com/rorycl/lsagentcerts -- let me know if is helpful. I'm not sure the operation is quite right and the output is clunky. I should probably put the key signatures in the output...
> > I'd be grateful to Andy if he explained what sort of command he runs to
> > refresh certificates. I understood most refresh arrangements to involve
> > OAuth2.
>
> The actual setup I'm using is:
>
> Host myhost
> Match host myhost exec "cloudflared access ssh-gen --hostname myhost.domain"
> ProxyCommand cloudflared access ssh --hostname myhost.domain
> IdentityFile ~/.cloudflared/blahblah
> CertificateFile ~/.cloudflared/blahblah.pub
>
> cloudflared is this thing (open source!):
>
> https://github.com/cloudflare/cloudflared
I hadn't heard of this. Cool.
> There are two pieces of magic here. One is the "couldflared access ssh-gen" command. It's annoyingly slow (which could be fixed, presumably), and it refreshes the certificates in ~/.cloudflared, using (I presume -- haven't checked) OAuth2 behind the scenes. The other is the ProxyCommand, which, as I've configured it, is just a proxy.
A quick glance suggests (at "handleCertificateGeneration", which takes a JWT and uses it build a signPayload https://github.com/cloudflare/cloudflared/blob/bf3136debbe0d847dd0e27c8e91eb21a7e4af73d/sshgen/sshgen.go#L74) that the slowness may be caused by Cloudflare's certificate signing process (in "SignCert").
...
> I think the most straightforward change to openssh would be to allow me to rewrite it as:
>
> Host myhost
> PreAuthCommand cloudflared access ssh-gen --hostname myhost.domain
> ProxyCommand cloudflared access ssh --hostname myhost.domain
> IdentityFile ~/.cloudflared/blahblah
Maybe something like this would work:
Match host myhost exec "lsagentcerts -e 5s -t || \
cloudflared access ssh-gen --hostname myhost.domain"
ProxyCommand cloudflared access ssh --hostname myhost.domain
Host myhost
...
"lsagentcerts -e 5s -t" stands for "expiring in 5 seconds, terse mode".
Cheers
Rory
More information about the openssh-unix-dev
mailing list