On 18/09/18, Peter Moody (mindrot@xxxxxxxx) wrote: > On Mon, Sep 17, 2018 at 6:13 AM, Rory Campbell-Lange > <rory@xxxxxxxxxxxxxxxxxx> wrote: ... > > The problem is then to automate certificate issuance since it would be > > pretty arduous for someone to keep issuing short-lived user > > certificates. > > > > I was intrigued to read Uber's ussh announcement page and wondered if > > this suggests a route for doing so: > > (https://medium.com/uber-security-privacy/introducing-the-uber-ssh-certificate-authority-4f840839c5cc) ... > > Assuming we write a program to generate a new key pair and associated > > user certificate, how would one go about adding this to a forwarded > > agent on the remote server hosting the program? Can ssh-add work on the > > remote socket file? Is such an operation advisable? ... > It's unclear if I'm ever going to be able to opensource usshca at this > point, but I can assure that you it's definitely possible to add a > private key (and certificate) to a forwarded ssh-agent. It might not > be clear from the blog post, but usshca is itself an ssh server, > albeit one that doesn't drop an authenticated user into a shell. > openssh's sshd makes a remotely forwarded agent available locally via > unix domain socket, but usshca just takes the remote agent and, > assuming everything's a-ok, adds the key and cert. Hi Peter Thanks for the response, and the Go code snippets (unfortunately I'm not a Go programmer). It would be great if usshca could be open-sourced in future. I've verified what you've written about adding keys and certificate to a forwarded agent following Peter Stuge's helpful comments. Darren Tucker pointed out that there is nothing to stop someone hacking their agent to copy a key (even with a timeout), so the use of time-limited certificates seems important. The missing piece in the puzzle for our use case is extracting the user from the connection by pairing their connection key to one in a user database without having to create a local user for each remote ssh user on the authenticating server. I assume the usshca ssh server deals with this by allowing "username@usshca" connections for all known users? Regards Rory _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev