Apologies if this post is inappropriate to this list; please redirect me if so. Our team uses ssh extensively for server access and maintenance (Debian). An issue is acting as root when operating, for example, over ansible and keeping a record of who performed the actions, something ssh certificates solves well. The problem is then to automate certificate issuance since it would be pretty arduous for someone to keep issuing short-lived user certificates. I was intrigued to read Uber's ussh announcement page and wondered if this suggests a route for doing so: (https://medium.com/uber-security-privacy/introducing-the-uber-ssh-certificate-authority-4f840839c5cc) An employee gets a ussh certificate when they run the ussh command. This connects to the USSHCA, performs the pam conversation and forwards the client’s ssh agent to the CA. If the client successfully authenticates, the CA generates a new ssh key, populates the associated cert with the configured information (validity period, the user it’s valid for, the options permitted, etc.) and adds both the key and the certificate to the remote agent. The certificates are added to the agent with a timeout telling the agent to remove the keys when the certificate expires. Assuming we write a program to generate a new key pair and associated user certificate, how would one go about adding this to a forwarded agent on the remote server hosting the program? Can ssh-add work on the remote socket file? Is such an operation advisable? Apologies for this rather naive questions, and also if I'm covering well-worn territory. Thanks Rory _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev