Re: Feature request: a good way to supply short-lived certificates to openssh

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 7 Mar 2023, Darren Tucker wrote:

> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> [...]
> > ssh_config contains a Match ... exec [command to refresh the certificate].  This sort of works,
> > except that it runs the command far too frequently.  For example, ssh -O exit [name] refreshes
> > the certificate, and it should not do so.
> 
> You can have the command check if the cert is expired or near expired
> before refreshing it.  I've done this in the past with expiring
> certificates.
> 
> > This would be more useful if ssh could _start_ the agent.
> 
> This is difficult because ssh relies on $SSH_AUTH_SOCK in its
> environment to find the agent's socket.

You could probably rig something up using a fixed agent socket path.
E.g.

IdentityAgent ~/.ssh/.agent-sock

Match !canonical exec "check-and-start-agent.sh"
	# Will start agent at ~/.ssh/.agent-sock if not already running.

The agent socket is AFAIK only opened after configuration processing
completes, so this should work.

It might also be possible to skip the Match block using some socket
activation trick.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux