On 09/02/2021 23:51, Damien Miller wrote:
So basically: can I send just a certificate to ssh-agent? And if so, how is that done?Yes, it is possible but poorly documented (patches welcome as always). The format for encoding a certificate with private key is is roughly {cert, private fields}. See sshkey.c:sshkey_private_serialize_opt() for the actual code, but it's basically the following, where "certificate blob" is the entire public certificate key.
That's how to send a (private key, certificate) pair - I have that working already, thanks to the go x/crypto/ssh/agent library.
However, the question was whether it's possible to send just a certificate by itself, which corresponds to a private key that the agent already has. And at the moment, I think the answer is "no you can't".
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
