Re: Feature request: a good way to supply short-lived certificates to openssh

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 07/03/23, Darren Tucker (dtucker@xxxxxxxxxxx) wrote:
> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> [...]
> > ssh_config contains a Match ... exec [command to refresh the certificate].
> > This sort of works, except that it runs the command far too frequently.
> > For example, ssh -O exit [name] refreshes the certificate, and it should
> > not do so.
> 
> You can have the command check if the cert is expired or near expired
> before refreshing it.  I've done this in the past with expiring
> certificates.

I was intrigued by Darren's note about a command to check certificate expiry. I've put together a quick POC in go to list expiring certificates: https://gist.github.com/rorycl/d194243c61b349021935c97f751a931e

Output is something like:

    0 key ssh-ed25519 : is not a certificate
    1 key ssh-ed25519-cert-v01@xxxxxxxxxxx
        comment:  acmeinc_briony_from:2023-03-07T08:18_to:2023-03-07T11:18UTC
        validity: 2023-03-07 08:37:23 GMT to 2023-03-07 11:37:23 GMT
        expiring in 60m? true

I'd be grateful to Andy if he explained what sort of command he runs to refresh certificates. I understood most refresh arrangements to involve OAuth2.

Rory

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux