这是可能的,但它缺乏工具支持.我找到了一个能够很好地说出SSH协议的库,让我编写一个工具来提取主机证书valid_before时间而无需完整的ssh登录.这是Go语言.我希望它有所帮助.
package main
import "golang.org/x/crypto/ssh"
import "fmt"
import "os"
import "time"
func ignoreCertChain(auth ssh.PublicKey, address string) bool {
return true // Pretend all certificates are trusted.
}
var sawACert bool
func examineCert(cert *ssh.Certificate) bool {
expires := cert.ValidBefore
var humanReadable string
if expires >= ssh.CertTimeInfinity {
humanReadable = "infinity"
} else if expires < (1 << 63) {
humanReadable = time.Unix(int64(expires), 0).Format(time.RFC3339)
} else {
humanReadable = "the distant future"
}
fmt.Println("Cert expires at time", expires, "(" + humanReadable + ")")
sawACert = true
return true // Reject the cert, to force early connection close.
}
func main() {
serverHostPort := os.Args[1]
checker := &ssh.CertChecker{
IsHostAuthority: ignoreCertChain,
IsRevoked: examineCert,
}
config := &ssh.ClientConfig{
User: "test-sshcertscan-not-a-real-login-attempt",
Auth: []ssh.AuthMethod{
ssh.Password(""),
},
HostKeyCallback: checker.CheckHostKey,
}
sawACert = false
client, err := ssh.Dial("tcp", serverHostPort, config);
if err != nil && !sawACert {
panic(fmt.Sprint("Cannot connect to ", serverHostPort, ", error: ",
err.Error()))
} else if client != nil {
defer client.Close()
}
}
(快速使用说明:安装Go,保存上面sshcertscan.go中的代码,运行go build sshcertscan.go,然后使用./sshcertscan examplehost:22将它指向examplehost端口22上的ssh服务器.)