[radlad]

Years ago, I tried building something like this using ProxyCommand to try to fetch the SSH certificate "just-in-time" without having to run a command first, but unfortunately the ordering of OpenSSH was such that ProxyCommand ran after checking the disk for SSH certs/keys. :(

[EthanHeilman]

I got this working at one point.

The trick is to use your SSH config to intercept SSH connections so the got to a local SSH server, this triggers ProxyCommand and let's you create the cert and then forward those packets into an outgoing SSH connection you don't intercept.

SSH --> Local SSH Server --> ProxyCommand (create cert) --> SSH --> Remote SSH Server

[Foxboron]

You could use `host match exec` instead of `ProxyCommand`. I believe it will run before you end up checking for files on disk.

[radlad]

Hey, thanks for that! I didn't come across that back then. Looks intriguing.

[cjcampbell]

I’ve played a bit with this, but iirc, I ran into limitations with some of the clients that needed to be supported. But if all you need is OpenSSH, you should be set.

[radlad]

Good call out. One of the advantages of ProxyCommand was that it is supported by Chrome's Secure Shell extension, meaning you could use it on Chromebooks: https://chromewebstore.google.com/detail/secure-shell/iodiha...