Hi, This seems like a resonable idea. Could you please attach this to a bug at https://bugzilla.mindrot.org/ ? This will ensure it won't get lost. On Thu, 13 Aug 2015, Thomas Jarosch wrote: > Hi, > > On Sunday, 26. July 2015 16:52:18 you wrote: > > Add support to load additional certificates > > for already loaded private keys. Useful > > if the private key is on a PKCS#11 hardware token. > > > > The private keys inside ssh-agent are now using a refcount > > to share the private parts between "Identities". > > The reason for this change was that the PKCS#11 code > > might have redirected ("wrap") the RSA functions to a hardware token. > > We don't want to mess with those internals. > > > > Tested with an OpenGPG card. Patch developed against 6.9p > > and applies to original 6.9, too. > > > > Please CC: comments. > > > > Signed-off-by: Thomas Jarosch <thomas.jarosch@xxxxxxxxxxxxx> > > any comment on this? > > Is the concept sound or did I take the wrong turn here? > > If upstream considers this the way to go, I can try > to split up the patch into smaller pieces like this: > > - sshkey.c: Add "int sshkey_is_private(const struct sshkey *)" function > - ssh-agent: Transition to private key refcounting > - ssh-agent: Implement private key "shadowing" > - ssh-add: Add support to add plain certificates > > Thanks in advance, > Thomas > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev