On 08/02/2021 12:58, Jakub Jelen wrote:
this was discussed in the following two bugs in context of pkcs11
keys, but without any definite solution.
https://bugzilla.mindrot.org/show_bug.cgi?id=2472
https://bugzilla.mindrot.org/show_bug.cgi?id=2808
Thanks for those references.
I'm not sure I understand the last comment
<https://bugzilla.mindrot.org/show_bug.cgi?id=2808#c2>:
"BTW You can use certificates in ssh already using keys stored in an
agent or token. Certificates are grafted to external keys at
authentication time if they are available."
I *think* it's saying that you can authenticate using a private key in
an agent together with a corresponding id_xxx.cert file on the
filesystem. But that means if you download your certificate from
somewhere, you have to write it to the filesystem in a suitable
location. Also, if you're doing multiple login hops using agent
forwarding, you'd have to copy the certificate to each hop where the ssh
client runs to ssh to the next hop. Is that right?
Alternatively: you could reload your private key and cert together into
the agent . That would presumably require re-unlocking the private key
with passphrase, and wouldn't work for private keys stored in hardware
tokens.
Thanks,
Brian.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
