Re: ssh-agent check for new fresh certificate (and key)? worthwhile doing?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Damien Miller wrote:
> On Thu, 2 Feb 2017, Adam Eijdenberg wrote:
> 
>> On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm@xxxxxxxxxxx> wrote:
>>> On Thu, 2 Feb 2017, Adam Eijdenberg wrote:
>>>> I guess a case could be made for ssh-add to always set a timeout when
>>>> adding a certificate with an expiry time, but I think for now I'm
>>>> happy enough to do that on our end.
>>>
>>> That sounds like a fine idea.
>>
>> Damien, to clarify did you mean it would be a fine idea to submit a
>> patch to ssh-add to do so? (or a fine idea to leave it it alone and
>> handle externally)
> 
> It's a fine idea for a feature - even just filing it on bugzilla would be
> good.

I'm also thinking about how to raise the security bar of SSH keys.

Would it be feasible to implement a SSH key agent which automagically generates a new key
pair (e.g. when triggered by ssh-add or cert is expired) and sends the public key to a
SSH signing service (authenticating the user with stronger authc mechs like 2FA) which
returns the short-term SSH public-key cert? This would also make it possible to
automatically add the "from=" key options because the SSH client's IP address is known.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux