Re: ssh-agent check for new fresh certificate (and key)? worthwhile doing?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2017-02-02 11:49, Adam Eijdenberg wrote:
On Thu, Feb 2, 2017 at 8:30 PM, Michael Ströder <michael@xxxxxxxxxxxx> wrote:
Would it be feasible to implement a SSH key agent which automagically generates a new key pair (e.g. when triggered by ssh-add or cert is expired) and sends the public key to a SSH signing service (authenticating the user with stronger authc mechs like 2FA) which returns the short-term SSH public-key cert? This would also make it possible to automatically add the "from=" key options because the SSH client's IP address is known.

That pretty much describes what we're doing with one of my customers,
with SSO to Google Apps (which in turn enforces 2FA etc), and I know
we aren't the only ones doing it. Once a day our users run a command:

$ updatecerts
Please click the "Allow" button in your browser to authorize our SSO tool.
[..]
2017/02/02 21:34:47 SSH_AUTH_SOCK detected, adding certificate to ssh-agent.

Yes, I've already glanced over your github repo.

I was rather thinking about integrating the whole thing into a custom SSO SSH key agent. Hmm, one could even skip the ssh-add and integrate it into a wrapper script when invoking ssh client.

Thanks for the additional links.

Ciao, Michael.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux