I have an environment where I use ssh certificates to authenticate ssh host keys. I'm talking about the kind of certificates created by running ssh-keygen -s /path/to/ca -h ...
. These certificates are also created with a validity interval, stating when they will expire. These certificates have now been in use now long enough that I need to start monitor them, to get a heads up when they start getting close to expire.
Any way I can do a remote connection, without logging in, and somehow either get the validity interval displayed alt. get the certificate downloaded? Running ssh -vvv
don't appear to display the info I need. Neither does ssh-keyscan
appear to be certificate aware. Perhaps some library I haven't looked closely enough at?
Worst case I can always write a monitoring plugin which runs locally and parses the output of ssh-keygen -L -f
. Still, a remote scan really feels like the preferable approach.
Best Answer
This is possible, but it lacks tool support. I found a library which speaks the SSH protocol well enough to let me write a tool to extract the host cert valid_before time without a full ssh login. Here it is, in the Go language. I hope it helps.
(Quick usage instructions: install Go, save the code seen above in sshcertscan.go, run
go build sshcertscan.go
, then point it at an ssh server on examplehost port 22 with./sshcertscan examplehost:22
.)