upstream: When adding certificates to an agent, set the expiry to

the certificate expiry time plus a short (5 min) grace period.

This will cause the agent to automtically remove certificates shortly
after they expire.

A new ssh-add -N option disables this behaviour.

Feedback/ok deraadt@

OpenBSD-Commit-ID: 92fed1bba1025069ad45deebb534be7530e181df

diff --git a/ssh-add.1 b/ssh-add.1
index c31de4dd9dafdde1fabbc9f7ac8ef3805896f80a..babe78040f3dd0fef1cb4c67f932ce8c7194a025 100644 (file)
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: ssh-add.1,v 1.87 2024/06/17 08:30:29 djm Exp $
+.\"    $OpenBSD: ssh-add.1,v 1.88 2025/09/11 02:54:42 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 17 2024 $
+.Dd $Mdocdate: September 11 2025 $
 .Dt SSH-ADD 1
 .Os
 .Sh NAME
@@ -43,7 +43,7 @@
 .Nd adds private key identities to the OpenSSH authentication agent
 .Sh SYNOPSIS
 .Nm ssh-add
-.Op Fl CcDdKkLlqvXx
+.Op Fl CcDdKkLlNqvXx
 .Op Fl E Ar fingerprint_hash
 .Op Fl H Ar hostkey_file
 .Op Fl h Ar destination_constraint
@@ -223,6 +223,13 @@ Lists public key parameters of all identities currently represented
 by the agent.
 .It Fl l
 Lists fingerprints of all identities currently represented by the agent.
+.It Fl N
+When adding certificates, by default
+.Nm
+will request that the agent automatically delete the certificate shortly
+after the certificate's expiry date.
+This flag suppresses this behaviour and does not specify a lifetime for
+certificates added to an agent.
 .It Fl q
 Be quiet after a successful operation.
 .It Fl S Ar provider

diff --git a/ssh-add.c b/ssh-add.c
index 2e41bc26a363529eeb36f9880278e4a5bf46de22..1154006805a5f95f4cea11989eb2114da6a04f75 100644 (file)
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.175 2025/08/29 03:50:38 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.176 2025/09/11 02:54:42 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -70,6 +70,8 @@
 #include "sk-api.h"
 #include "hostfile.h"
 
+#define CERT_EXPIRY_GRACE      (5*60)
+
 /* argv0 */
 extern char *__progname;
 
@@ -234,16 +236,36 @@ delete_all(int agent_fd, int qflag)
        return ret;
 }
 
+static int
+check_cert_lifetime(const struct sshkey *cert, int cert_lifetime)
+{
+       time_t now;
+       uint64_t n;
+
+       if (cert == NULL || cert->cert == NULL || !sshkey_is_cert(cert) ||
+           cert->cert->valid_before == 0xFFFFFFFFFFFFFFFFULL)
+               return cert_lifetime;
+       if ((now = time(NULL)) <= 0)
+               fatal_f("system time is at/before epoch");
+       if ((uint64_t)now > (cert->cert->valid_before + CERT_EXPIRY_GRACE))
+               return -1; /* certificate already expired */
+       n = (CERT_EXPIRY_GRACE + cert->cert->valid_before) - (uint64_t)now;
+       n = MINIMUM(n, INT_MAX);
+       if (cert_lifetime <= 0)
+               return (int)n;
+       return MINIMUM(cert_lifetime, (int)n);
+}
+
 static int
 add_file(int agent_fd, const char *filename, int key_only, int cert_only,
-    int qflag, const char *skprovider,
+    int qflag, int Nflag, const char *skprovider,
     struct dest_constraint **dest_constraints,
     size_t ndest_constraints)
 {
-       struct sshkey *private, *cert;
+       struct sshkey *private = NULL, *cert = NULL;
        char *comment = NULL;
        char msg[1024], *certpath = NULL;
-       int r, fd, ret = -1;
+       int cert_lifetime, r, fd, ret = -1;
        struct sshbuf *keyblob;
 
        if (strcmp(filename, "-") == 0) {
@@ -340,8 +362,8 @@ add_file(int agent_fd, const char *filename, int key_only, int cert_only,
                        fprintf(stderr, "Identity added: %s (%s)\n",
                            filename, comment);
                        if (lifetime != 0) {
-                               fprintf(stderr,
-                                   "Lifetime set to %d seconds\n", lifetime);
+                               fprintf(stderr, "Lifetime set to %s\n",
+                                   fmt_timeframe((time_t)lifetime));
                        }
                        if (confirm != 0) {
                                fprintf(stderr, "The user must confirm "
@@ -369,25 +391,28 @@ add_file(int agent_fd, const char *filename, int key_only, int cert_only,
        if (!sshkey_equal_public(cert, private)) {
                error("Certificate %s does not match private key %s",
                    certpath, filename);
-               sshkey_free(cert);
+               goto out;
+       }
+
+       cert_lifetime = lifetime;
+       if (!Nflag &&
+           (cert_lifetime = check_cert_lifetime(cert, cert_lifetime)) == -1) {
+               logit("Certificate %s has already expired; ignored", certpath);
                goto out;
        }
 
        /* Graft with private bits */
        if ((r = sshkey_to_certified(private)) != 0) {
                error_fr(r, "sshkey_to_certified");
-               sshkey_free(cert);
                goto out;
        }
        if ((r = sshkey_cert_copy(cert, private)) != 0) {
                error_fr(r, "sshkey_cert_copy");
-               sshkey_free(cert);
                goto out;
        }
-       sshkey_free(cert);
-
+       /* send to agent */
        if ((r = ssh_add_identity_constrained(agent_fd, private, comment,
-           lifetime, confirm, skprovider,
+           cert_lifetime, confirm, skprovider,
            dest_constraints, ndest_constraints)) != 0) {
                error_r(r, "Certificate %s (%s) add failed", certpath,
                    private->cert->key_id);
@@ -397,9 +422,9 @@ add_file(int agent_fd, const char *filename, int key_only, int cert_only,
        if (!qflag) {
                fprintf(stderr, "Certificate added: %s (%s)\n", certpath,
                    private->cert->key_id);
-               if (lifetime != 0) {
-                       fprintf(stderr, "Lifetime set to %d seconds\n",
-                           lifetime);
+               if (cert_lifetime != 0) {
+                       fprintf(stderr, "Lifetime set to %s\n",
+                           fmt_timeframe((time_t)cert_lifetime));
                }
                if (confirm != 0) {
                        fprintf(stderr, "The user must confirm each use "
@@ -410,6 +435,7 @@ add_file(int agent_fd, const char *filename, int key_only, int cert_only,
  out:
        free(certpath);
        free(comment);
+       sshkey_free(cert);
        sshkey_free(private);
 
        return ret;
@@ -606,7 +632,7 @@ load_resident_keys(int agent_fd, const char *skprovider, int qflag,
 
 static int
 do_file(int agent_fd, int deleting, int key_only, int cert_only,
-    char *file, int qflag, const char *skprovider,
+    char *file, int qflag, int Nflag, const char *skprovider,
     struct dest_constraint **dest_constraints, size_t ndest_constraints)
 {
        if (deleting) {
@@ -614,7 +640,7 @@ do_file(int agent_fd, int deleting, int key_only, int cert_only,
                    cert_only, qflag) == -1)
                        return -1;
        } else {
-               if (add_file(agent_fd, file, key_only, cert_only, qflag,
+               if (add_file(agent_fd, file, key_only, cert_only, qflag, Nflag,
                    skprovider, dest_constraints, ndest_constraints) == -1)
                        return -1;
        }
@@ -762,7 +788,7 @@ main(int argc, char **argv)
        char **dest_constraint_strings = NULL, **hostkey_files = NULL;
        int r, i, ch, deleting = 0, ret = 0, key_only = 0, cert_only = 0;
        int do_download = 0, xflag = 0, lflag = 0, Dflag = 0;
-       int qflag = 0, Tflag = 0;
+       int qflag = 0, Tflag = 0, Nflag = 0;
        SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
        LogLevel log_level = SYSLOG_LEVEL_INFO;
        struct sshkey *k, **certs = NULL;
@@ -794,7 +820,7 @@ main(int argc, char **argv)
 
        skprovider = getenv("SSH_SK_PROVIDER");
 
-       while ((ch = getopt(argc, argv, "vkKlLCcdDTxXE:e:h:H:M:m:qs:S:t:")) != -1) {
+       while ((ch = getopt(argc, argv, "vVkKlLCcdDTxXE:e:h:H:M:m:qs:S:t:")) != -1) {
                switch (ch) {
                case 'v':
                        if (log_level == SYSLOG_LEVEL_INFO)
@@ -802,6 +828,9 @@ main(int argc, char **argv)
                        else if (log_level < SYSLOG_LEVEL_DEBUG3)
                                log_level++;
                        break;
+               case 'V':
+                       Nflag = 1;
+                       break;
                case 'E':
                        fingerprint_hash = ssh_digest_alg_by_name(optarg);
                        if (fingerprint_hash == -1)
@@ -968,7 +997,7 @@ main(int argc, char **argv)
                        if (stat(buf, &st) == -1)
                                continue;
                        if (do_file(agent_fd, deleting, key_only, cert_only,
-                           buf, qflag, skprovider,
+                           buf, qflag, Nflag, skprovider,
                            dest_constraints, ndest_constraints) == -1)
                                ret = 1;
                        else
@@ -979,7 +1008,7 @@ main(int argc, char **argv)
        } else {
                for (i = 0; i < argc; i++) {
                        if (do_file(agent_fd, deleting, key_only, cert_only,
-                           argv[i], qflag, skprovider,
+                           argv[i], qflag, Nflag, skprovider,
                            dest_constraints, ndest_constraints) == -1)
                                ret = 1;
                }