Re: ssh-agent could not add signed cert when private key stored in yubikey

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 2019-01-29 at 22:35 +0800, YC wrote:
> Hi,
> 
> I'm currently stuck with yubikey + signed user key + ssh-agent
> forwarding.
> As 
> https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html 
> noted, I have private key stored in yubikey, public key in 
> ~/.ssh/id_rsa.pub and signed public key in ~/.ssh/id_rsa-cert.pub on
> PC 
> (see bellow).
> 
> It's not working with this agent forwarding access: 
> PC----Server_A----Server_B. Placing
> private key saved in ~/id_rsa, it works fine! After a simple
> comparsion, 
> I found that when
> private key store in yubikey hardware, ssh-add would not add signed 
> public key (id_rsa-cert.pub) to ssh-agent, should this be the
> problem? 
> Is there a way to add signed public key to ssh-agent?

This is a known bug tracked here [1] including proposed patch.

There is one possibility to copy the public key and certificate to your
Server A or use the patch attached to the bug [1] (or wait and it will
hopefully land in the next release).

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2472

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux