On Tue, 2019-01-29 at 22:35 +0800, YC wrote: > Hi, > > I'm currently stuck with yubikey + signed user key + ssh-agent > forwarding. > As > https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html > noted, I have private key stored in yubikey, public key in > ~/.ssh/id_rsa.pub and signed public key in ~/.ssh/id_rsa-cert.pub on > PC > (see bellow). > > It's not working with this agent forwarding access: > PC----Server_A----Server_B. Placing > private key saved in ~/id_rsa, it works fine! After a simple > comparsion, > I found that when > private key store in yubikey hardware, ssh-add would not add signed > public key (id_rsa-cert.pub) to ssh-agent, should this be the > problem? > Is there a way to add signed public key to ssh-agent? This is a known bug tracked here [1] including proposed patch. There is one possibility to copy the public key and certificate to your Server A or use the patch attached to the bug [1] (or wait and it will hopefully land in the next release). [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2472 Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev