> So it's not clear this provides any advantage over just using the existing > encrypted channel. Well in this case there isn't necessarily an existing encrypted ssh channel b/c i'm presenting the cert (well, a cert-backed message) to something other than sshd, so it could be over just about any transport protocol. but all of these are valid points for why something like this already in ssh-agent. as I said, moronic monday, at least in pst. :) > Actually, you don't need any extensions to do this - you can get > the pubkey from the agent directly yeah, getting the pubkey is no problem. it's getting access to the private key to do the decryption. Cheers, peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev