[Bug 1914] New: ssh-add: add an option to cryptographically verify if agent can access the matching private key of a given public key

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Jun 10 21:37:04 EST 2011


https://bugzilla.mindrot.org/show_bug.cgi?id=1914

           Summary: ssh-add: add an option to cryptographically verify if
                    agent can access the matching private key of a given
                    public key
           Product: Portable OpenSSH
           Version: 5.8p2
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: ssh-add
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: kb at open.ch


Created attachment 2055
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2055
Patch

I need to cryptographically verify if a given key is load into the
agent.

The patch adds the option "-v pubkey" which allows ssh-add to do the
same public key authentication procedure as done by sshd. This means it
sends a challenge to the agent which must return a valid signature. It
does not just "believe" the agent as checking the output of "ssh-add
-L" would do.

Use case:
For remote access, the user log in from home. First a one-time-password
is used to authenticate the user via PAM. Then we want to check if the
user has his key loaded into the ssh-agent. Currently we do this by a
ForcedCommand which opens another ssh session, where the key is used
for authentication. We would like to do that test directly in the
ForcedCommand script.

The patch is based on 5.8p2 and implements that feature for ssh1 and
ssh2, contains regression tests and updates the man page.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list