Re: Feature request: a good way to supply short-lived certificates to openssh

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



This is the approach I take:

- generate a private key and certificate and stuff them into ssh-agent

- set the label in ssh-agent to something that identifies the key+cert, and the ssh-agent expiry time to be the same as the certificate expiry time, or slightly less

- each time you make an ssh connection, query the agent to see if there's the expected key+cert, and generate a new one if not

I'm using Hashicorp Vault to generate the certs, and I wrote this code for the client side:

https://github.com/candlerb/vault-ssh-agent-login

It skips the cert generation if there appears to be a valid cert already in the agent.

I invoke this via a wrapper script (below). I haven't looked into hooking it directly into ssh_config (which is what this thread was originally about).

#!/bin/bash -eu
export VAULT_ADDR="https://vault.example.net:8200";

case "${1:-}" in
"-force") OPT="-force"; shift ;;
"")       OPT="" ;;
*)        OPT="-quiet" ;;
esac

vault-ssh-agent-login -role=my_ssh_role \
  -valid-principals="brian,ubuntu" \
  -auth-method=oidc -auth-path=google $OPT

[ $# -gt 0 ] && exec ssh "$@"


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux