Damien Miller wrote: > On Thu, 2 Feb 2017, Adam Eijdenberg wrote: > >> On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm@xxxxxxxxxxx> wrote: >>> On Thu, 2 Feb 2017, Adam Eijdenberg wrote: >>>> I guess a case could be made for ssh-add to always set a timeout when >>>> adding a certificate with an expiry time, but I think for now I'm >>>> happy enough to do that on our end. >>> >>> That sounds like a fine idea. >> >> Damien, to clarify did you mean it would be a fine idea to submit a >> patch to ssh-add to do so? (or a fine idea to leave it it alone and >> handle externally) > > It's a fine idea for a feature - even just filing it on bugzilla would be > good. I'm also thinking about how to raise the security bar of SSH keys. Would it be feasible to implement a SSH key agent which automagically generates a new key pair (e.g. when triggered by ssh-add or cert is expired) and sends the public key to a SSH signing service (authenticating the user with stronger authc mechs like 2FA) which returns the short-term SSH public-key cert? This would also make it possible to automatically add the "from=" key options because the SSH client's IP address is known. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev