On Sunday, 17 July 2022 21:15:05 CEST Grant Taylor wrote: > On 7/15/22 11:46 PM, J. Roeleveld wrote: > > Hmm... interesting. I will look into this. > : > :-) > : > > But, it needs the agent to be running, which will make it tricky for > > automation. > > Why can't automation start an agent?
It could, but that would open up an unsecured key to interception if an intermediate host is compromised. > Why can't there be an agent > running that automation has access to? See previous answer, the agent, as far as I know, will have the keys in memory and I haven't seen evidence that it won't provide the keys without authenticating the requestor. > > I know, which is why I was investigating automating it. The passwords > > are too long to comfortably copy by hand. > > I assume that you mean "type" when you say "copy". Yes, copy/paste has no issues with multi-page texts. But manually reading a long password and copying that over by typing on a keyboard when the font can make the difference between "1" (ONE), "l" (small letter L) and "|" (pipe- character) and similar characters make it annoying to say the least. > > I will definitely investigate this. They sound interesting. I'd set > > the validity to a lot less if this can be automated easily. > > Yes, it can be fairly easily automated. > > One of the other advantages of SSH /certificates/ is when you flip > things around and use a /host/ certificate. Clients can recognize that > the target host's certificate is signed by the trusted SSH CA and not > prompt for the typical Trust On First Use (TOFU) scenario. Thus you can > actually leverage the target host SSH fingerprint and not need to ignore > that security aspect like so many people do. Currently, when that comment pops up, the first thing I do is wait and wonder why it's asking for it. As all the systems are already added to the list. -- Joost
