On Thu, Feb 2, 2017 at 8:30 PM, Michael Ströder <michael@xxxxxxxxxxxx> wrote: > Would it be feasible to implement a SSH key agent which automagically generates a new key > pair (e.g. when triggered by ssh-add or cert is expired) and sends the public key to a > SSH signing service (authenticating the user with stronger authc mechs like 2FA) which > returns the short-term SSH public-key cert? This would also make it possible to > automatically add the "from=" key options because the SSH client's IP address is known. Hi Michael, That pretty much describes what we're doing with one of my customers, with SSO to Google Apps (which in turn enforces 2FA etc), and I know we aren't the only ones doing it. Once a day our users run a command: $ updatecerts Please click the "Allow" button in your browser to authorize our SSO tool. 2017/02/02 21:34:44 Authorization code received. 2017/02/02 21:34:44 Exchanging authorization code for long-lived credentials. 2017/02/02 21:34:45 Received long-lived credentials. 2017/02/02 21:34:46 Have valid ID token 2017/02/02 21:34:46 Generating new private key. 2017/02/02 21:34:46 Requesting fresh certificates... 2017/02/02 21:34:47 Received new certificates from server. 2017/02/02 21:34:47 Writing new private key. 2017/02/02 21:34:47 Installing new certificate. 2017/02/02 21:34:47 SSH_AUTH_SOCK detected, adding certificate to ssh-agent. 2017/02/02 21:34:47 Certificate will be added with TTL of 86400 seconds. The company I did this work for (Androgogic) were kind enough to let me open-source it, so you can find the server and client here: https://github.com/continusec/geecert I think Teleport also do something similar: http://gravitational.com/teleport/ Facebook describe similar here too: https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/ Cheers, Adam _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev