Hi, We're developing an open source project that uses SSH certificates. We issue short lived certificates (few minutes) to execute commands on behalf of users. We have a use case where we need to issue certificates with 10 days validity and store them, so we put a command inside them: ssh-keygen -s ca-key -I certN -n user -O force-command="wget something" -V +10d user-key.pub and it works as expected. This way, if the certificate is stolen, it can only be used to execute that command (also the CA is only trusted from some hosts, no root login, etc). We also want to use "ForceCommand" option on the server (inside a "Match" section) to put a wrapper that checks commands executed for this CA. If a rogue certificate is issued, at least we can control what is executed. However, as the command is embedded inside the certificate, the server passes an empty "SSH_ORIGINAL_COMMAND" to the wrapper. I couldn't find any additional option or environment variable for this case. We can pass the command when the connection is established, but it defeats the purpose of having the certificate's "force-command". So, is there a way the wrapper could get the command embedded inside a certificate? As a side note, more information about the certificate (issue and expiration time) could be useful for auditing. It would be useful too if the server could log it (aside from CA, certificate serial, etc), but couldn't find any option either. Regards, Ale _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
