On Thu, Feb 2, 2017 at 1:16 AM, Peter Moody <mindrot@xxxxxxxx> wrote: > why not add the certificate to the running ssh-agent with a timeout > that expires when the cert does? That's an excellent idea. I've modified our tooling to do exactly that (https://github.com/continusec/geecert/commit/dfeee14b278e28d15bf532bb6e6e8ffe530e6b11). Thank you for the suggestion. > I don't think ssh-agent exposes a "how long until this key expires" > api, but you can at least use this method to see if the cert/key are > *on* the agent and you can assume that if they're on the agent, then > they're valid. I guess a case could be made for ssh-add to always set a timeout when adding a certificate with an expiry time, but I think for now I'm happy enough to do that on our end. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev