I was reading about ssh & certificates and was curious how to
inform logging user about this certificate expiration.
IIRC it is not possible by default now, so an option would be to
have a repository with all signed certificates and check the certs
for expiration. Then next idea was how to inform logging user via
a ForceCommand script before he gets login shell.
But the issue here is how to get trusted info about the certificate
the logging user is using for the session?
Maybe it would be nice to have certificate fingerprint in environment
variable which would be created by SSH, something like
then it would be piece of cake to query the repository with all signed
I can see same benefit for ssh keys too, for example one could work
with comments inside public keys (of course not writable authorized_key
by logged user).
sshd: Found matching RSA key: 7a:e7:60:fd:e8:ac:3a:52:fe:c9:e2:6c:74:34:95:a1
Or do you know other easy way to inform an user about cert expiration