On 2017-02-02 11:49, Adam Eijdenberg wrote:
On Thu, Feb 2, 2017 at 8:30 PM, Michael Ströder <michael@xxxxxxxxxxxx>
wrote:
Would it be feasible to implement a SSH key agent which automagically
generates a new key
pair (e.g. when triggered by ssh-add or cert is expired) and sends the
public key to a
SSH signing service (authenticating the user with stronger authc mechs
like 2FA) which
returns the short-term SSH public-key cert? This would also make it
possible to
automatically add the "from=" key options because the SSH client's IP
address is known.
That pretty much describes what we're doing with one of my customers,
with SSO to Google Apps (which in turn enforces 2FA etc), and I know
we aren't the only ones doing it. Once a day our users run a command:
$ updatecerts
Please click the "Allow" button in your browser to authorize our SSO
tool.
[..]
2017/02/02 21:34:47 SSH_AUTH_SOCK detected, adding certificate to
ssh-agent.
Yes, I've already glanced over your github repo.
I was rather thinking about integrating the whole thing into a custom
SSO SSH key agent.
Hmm, one could even skip the ssh-add and integrate it into a wrapper
script when invoking ssh client.
Thanks for the additional links.
Ciao, Michael.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev