Hello, I was reading about ssh & certificates and was curious how to inform logging user about this certificate expiration.
IIRC it is not possible by default now, so an option would be to have a repository with all signed certificates and check the certs for expiration. Then next idea was how to inform logging user via a ForceCommand script before he gets login shell. But the issue here is how to get trusted info about the certificate the logging user is using for the session? Maybe it would be nice to have certificate fingerprint in environment variable which would be created by SSH, something like SSH_USERFPRINT="7a:e7:60:fd:e8:ac:3a:52:fe:c9:e2:6c:74:34:95:a1" then it would be piece of cake to query the repository with all signed certs. I can see same benefit for ssh keys too, for example one could work with comments inside public keys (of course not writable authorized_key by logged user). sshd[22652]: Found matching RSA key: 7a:e7:60:fd:e8:ac:3a:52:fe:c9:e2:6c:74:34:95:a1 Or do you know other easy way to inform an user about cert expiration during login? jirib
