Created attachment 2935 [details] First cut of patch For users that regularly receive new short-lived certificates, it is useful to be able to add these to ssh-agent without the list of identities continually growing. Since ssh-add already supports a lifetime parameter, suggest changing behaviour of ssh-add such that we always use the expiry date in the certificate as an upper bound for the lifetime. Sample usage: $ ssh-add ~/.ssh/id_androgogic_shortlived_rsa Set lifetime to 74594 to match certificate expiry time. Identity added: /Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa (/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa) Lifetime set to 74594 seconds Certificate added: /Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub (adam/androbot (for adam.eijdenberg@androgogic.com)) Lifetime set to 74594 seconds
Created attachment 2936 [details] Patch with correct content type set
Created attachment 3085 [details] automatically set lifetimes, add -C, -f and -v options This attempts the same thing a little differently. This only looks at the valid_before time - I don't think it is helpful to warn if the certificate isn't yet valid as adding a cert that starts a few seconds in the future seems like a pretty common thing to do. Maybe it could be a debug message? I also added a short grace period for expiring certificates, a way to override the helpfulness (-f), more nuanced error checking (e.g. not skipping loading a key if the cert was expired), a -C flag to only load certs and a verbose (-v) flag to get at the new debug messages.