On 07/03/23, Andy Lutomirski (luto@xxxxxxxxxx) wrote: > On Tue, Mar 7, 2023, at 3:25 AM, Rory Campbell-Lange wrote: > > On 07/03/23, Darren Tucker (dtucker@xxxxxxxxxxx) wrote: > >> On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto@xxxxxxxxxx> wrote: > >> [...] > >> > ssh_config contains a Match ... exec [command to refresh the certificate]. > >> > This sort of works, except that it runs the command far too frequently. > >> > For example, ssh -O exit [name] refreshes the certificate, and it should > >> > not do so. > >> > >> You can have the command check if the cert is expired or near expired > >> before refreshing it. I've done this in the past with expiring > >> certificates. I've put up a tool called `lsagentcerts` at https://github.com/rorycl/lsagentcerts -- let me know if is helpful. I'm not sure the operation is quite right and the output is clunky. I should probably put the key signatures in the output... > > I'd be grateful to Andy if he explained what sort of command he runs to > > refresh certificates. I understood most refresh arrangements to involve > > OAuth2. > > The actual setup I'm using is: > > Host myhost > Match host myhost exec "cloudflared access ssh-gen --hostname myhost.domain" > ProxyCommand cloudflared access ssh --hostname myhost.domain > IdentityFile ~/.cloudflared/blahblah > CertificateFile ~/.cloudflared/blahblah.pub > > cloudflared is this thing (open source!): > > https://github.com/cloudflare/cloudflared I hadn't heard of this. Cool. > There are two pieces of magic here. One is the "couldflared access ssh-gen" command. It's annoyingly slow (which could be fixed, presumably), and it refreshes the certificates in ~/.cloudflared, using (I presume -- haven't checked) OAuth2 behind the scenes. The other is the ProxyCommand, which, as I've configured it, is just a proxy. A quick glance suggests (at "handleCertificateGeneration", which takes a JWT and uses it build a signPayload https://github.com/cloudflare/cloudflared/blob/bf3136debbe0d847dd0e27c8e91eb21a7e4af73d/sshgen/sshgen.go#L74) that the slowness may be caused by Cloudflare's certificate signing process (in "SignCert"). ... > I think the most straightforward change to openssh would be to allow me to rewrite it as: > > Host myhost > PreAuthCommand cloudflared access ssh-gen --hostname myhost.domain > ProxyCommand cloudflared access ssh --hostname myhost.domain > IdentityFile ~/.cloudflared/blahblah Maybe something like this would work: Match host myhost exec "lsagentcerts -e 5s -t || \ cloudflared access ssh-gen --hostname myhost.domain" ProxyCommand cloudflared access ssh --hostname myhost.domain Host myhost ... "lsagentcerts -e 5s -t" stands for "expiring in 5 seconds, terse mode". Cheers Rory _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
