Bug 2675

Summary: When adding certificates to ssh-agent, use expiry date as upper bound for lifetime
Product: Portable OpenSSH Reporter: Adam Eijdenberg <adam>
Component: ssh-addAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: enhancement CC: djm
Priority: P5    
Version: 7.4p1   
Hardware: All   
OS: All   
Attachments:
Description Flags
First cut of patch
none
Patch with correct content type set
none
automatically set lifetimes, add -C, -f and -v options none

Description Adam Eijdenberg 2017-02-02 21:13:58 AEDT 
Created attachment 2935 [details]
First cut of patch

For users that regularly receive new short-lived certificates, it is useful to be able to add these to ssh-agent without the list of identities continually growing.

Since ssh-add already supports a lifetime parameter, suggest changing behaviour of ssh-add such that we always use the expiry date in the certificate as an upper bound for the lifetime.

Sample usage:

$ ssh-add ~/.ssh/id_androgogic_shortlived_rsa
Set lifetime to 74594 to match certificate expiry time.
Identity added: /Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa (/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa)
Lifetime set to 74594 seconds
Certificate added: /Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub (adam/androbot (for adam.eijdenberg@androgogic.com))
Lifetime set to 74594 seconds
Comment 1 Adam Eijdenberg 2017-02-02 21:15:31 AEDT 
Created attachment 2936 [details]
Patch with correct content type set
Comment 2 Damien Miller 2017-11-03 16:01:19 AEDT 
Created attachment 3085 [details]
automatically set lifetimes, add -C, -f and -v options

This attempts the same thing a little differently.

This only looks at the valid_before time - I don't think it is helpful to warn if the certificate isn't yet valid as adding a cert that starts a few seconds in the future seems like a pretty common thing to do. Maybe it could be a debug message?

I also added a short grace period for expiring certificates, a way to override the helpfulness (-f), more nuanced error checking (e.g. not skipping loading a key if the cert was expired), a -C flag to only load certs and a verbose (-v) flag to get at the new debug messages.