On Tue, 29 Jan 2019, YC wrote: > Hi, > > I'm currently stuck with yubikey + signed user key + ssh-agent forwarding. > As https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html noted, > I have private key stored in yubikey, public key in ~/.ssh/id_rsa.pub and > signed public key in ~/.ssh/id_rsa-cert.pub on PC (see bellow). There is currently no way to add certificates to an agent for PKCS#11 keys. That being said, you don't strictly need to. ssh is able to graft the certificates to private keys held in agents or tokens at runtime - you just need to specify the certificate(s) using the IdentityFile directive. Note that this won't work using agent forwarding, but it will work using ProxyJump. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
