On 9/10/21 9:53 AM, Jochen Bern wrote:
A quick question (I hope): I built an SSH user CA that would allow users
to SSH in (using their keypair) and thus trigger creation of a matching
cert. What I would *like* to do is to (add agent forwarding to the login
and) have the CA load the cert straight into the agent.
What happens is that doing an ssh-add on the CA fails because it cannot
find the *private* key in a local file, and even when I download the
cert and do the ssh-add locally, I need to enter the passphrase into the
terminal, presumably because it does read the privkey from its file as
well - in spite of the fact that the privkey is already loaded in the
agent all the time.
Is this a principal limitation of the code/protocol/security model,
something I can work around (though I don't yet see how), a feature
request with a chance of getting implemented, ... ?
Yes,
this was discussed since 2015 in context of PKCS #11 backed keys in
hardware, but the protocol was not yet updated to support loading
separate certificates:
https://bugzilla.mindrot.org/show_bug.cgi?id=2472
Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev