Hello, I am in a PoC of setting up a SSH CA for the SSH host keys. The idea is to add an SSH CA service that would generate SSH certificates for servers that we install automatically. This way, we would be sure that if a server presents itself with a certificate signed with the CA, it belongs to us, and is no MitM. I settled on a GnuPG smartcard to go with the SSH CA. This would secure the private key material from remote attack, and the smartcard itself is protected by a PIN. The smartcard is supported by opensc-pkcs11.so, and it works nicely with ssh authentication, with native ssh-agent with "ssh-add -s opensc-pksc11.so", with gpg-agent's ssh agent support, and it neatly generates SSH certificates with "ssh-keygen -D opensc-pkcs11.so". Now, my design assumed that the SSH CA would only require PIN entering on its PIN-pad after, say, a reboot. ssh-agent works like this for ssh authentication - it keeps the card open until it's removed or the machine gets turned off. Unfortunately, ssh-keygen cannot currently utilize ssh-agent for generating host certificates. It opens the smartcard with the pkcs11 library on its own, requests the PIN for every signature, and closes the card. Of course, I could use a card reader that doesn't have a PIN-pad. I guess I could issue "echo 1234 |ssh-keygen -D opensc-pkcs11.so". Or I could totally resign from using a smartcard. But then, the same happens if I use a password-protected private key as the CA - I get prompted for the key password on each run. All of those approaches are not ideal, to say the least. What I need is a process that keeps the smartcard open, so that it's possible to only enter the PIN once. This is done for ssh in ssh-agent. Would it be possible to add ssh-agent support to ssh-keygen? Best regards, Bolesław Tokarski _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev