As background, for one of my clients we built out a command line tool which does SSO with Google Apps, then generates a new SSH key pair, and sends this off to an internal service which verifies the request and then issues a new short lived (24 hour) certificate (if interested the code for the server and client is open-sourced here: https://github.com/continusec/geecert), overwriting the previous certificate and private key. Some of our users like to use SSH agent forwarding, and while this generally works fine, when our users run their daily command to get a new certificate, their ssh-agent still holds the old one. Would it be reasonable to write a patch to ssh-agent to that changed its behavior to: Check whether a certificate it is going to use is expired (or close to it, or maybe just changed on disk), and if so, check if there is a new certificate at the same location, and if so, drop the current certificate / private key, and replace with the new certificate private key? Alternatively I could change our daily command to check if ssh-agent is running with the cert there, and ask it to add a new one (and somehow clean out the old one), but since I'm a glutton for punishment, I thought I'd ask here whether a more general solution is likely to be accepted if I submitted a patch along those lines. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev