Re: Feature request: a good way to supply short-lived certificates to openssh

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, Mar 6, 2023, at 2:09 PM, Darren Tucker wrote:
> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> [...]
>> ssh_config contains a Match ... exec [command to refresh the certificate].  This sort of works,
>> except that it runs the command far too frequently.  For example, ssh -O exit [name] refreshes
>> the certificate, and it should not do so.
>
> You can have the command check if the cert is expired or near expired
> before refreshing it.  I've done this in the past with expiring
> certificates.

True, but that doesn't help with the -O exit use case.  And it's really quite silly for any configuration using ControlMaster -- I don't want my certificates renewed when I'm joining an existing ControlMaster question.

So I still think that openssh doesn't have a great mechanism more this, and I think my feature request still makes sense.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux