On Wed, 10 Feb 2021, Brian Candler wrote:
> On 09/02/2021 23:51, Damien Miller wrote:
> > > So basically: can I send just a certificate to ssh-agent? And if so,
> > > how is that done?
> > Yes, it is possible but poorly documented (patches welcome as always).
> > The format for encoding a certificate with private key is is roughly
> > {cert, private fields}. See sshkey.c:sshkey_private_serialize_opt() for
> > the actual code, but it's basically the following, where "certificate
> > blob" is the entire public certificate key.
>
> That's how to send a (private key, certificate) pair - I have that working
> already, thanks to the go x/crypto/ssh/agent library.
>
> However, the question was whether it's possible to send just a certificate by
> itself, which corresponds to a private key that the agent already has. And at
> the moment, I think the answer is "no you can't".
No - there's a patch to support it at
https://bugzilla.mindrot.org/show_bug.cgi?id=2472 but I'm not sure it's
the correct approach.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
