Agent support for ssh-keygen isn't a bad idea - could you please file a feature request at https://bugzilla.mindrot.org/ so we don't forget it? -d On Fri, 10 Apr 2015, Boles?aw Tokarski wrote: > Hello, > > I am in a PoC of setting up a SSH CA for the SSH host keys. The idea is to > add an SSH CA service that would generate SSH certificates for servers that > we install automatically. This way, we would be sure that if a server > presents itself with a certificate signed with the CA, it belongs to us, > and is no MitM. > > I settled on a GnuPG smartcard to go with the SSH CA. This would secure the > private key material from remote attack, and the smartcard itself is > protected by a PIN. The smartcard is supported by opensc-pkcs11.so, and it > works nicely with ssh authentication, with native ssh-agent with "ssh-add > -s opensc-pksc11.so", with gpg-agent's ssh agent support, and it neatly > generates SSH certificates with "ssh-keygen -D opensc-pkcs11.so". > > Now, my design assumed that the SSH CA would only require PIN entering on > its PIN-pad after, say, a reboot. ssh-agent works like this for ssh > authentication - it keeps the card open until it's removed or the machine > gets turned off. Unfortunately, ssh-keygen cannot currently utilize > ssh-agent for generating host certificates. It opens the smartcard with the > pkcs11 library on its own, requests the PIN for every signature, and closes > the card. > > Of course, I could use a card reader that doesn't have a PIN-pad. I guess I > could issue "echo 1234 |ssh-keygen -D opensc-pkcs11.so". Or I could totally > resign from using a smartcard. But then, the same happens if I use a > password-protected private key as the CA - I get prompted for the key > password on each run. All of those approaches are not ideal, to say the > least. > > What I need is a process that keeps the smartcard open, so that it's > possible to only enter the PIN once. This is done for ssh in ssh-agent. > Would it be possible to add ssh-agent support to ssh-keygen? > > Best regards, > Boles?aw Tokarski > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev