[Bug 2377] New: Add ssh-agent support to ssh-keygen

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Apr 13 18:14:21 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2377

            Bug ID: 2377
           Summary: Add ssh-agent support to ssh-keygen
           Product: Portable OpenSSH
           Version: 6.9p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: boleslaw.tokarski at gmail.com

The only way for ssh-keygen to generate a certificate is currently to
access the private key representing the CA from a file, or open the
pkcs11 smartcard on its own.

This makes it cumbersome to automate, as either the key is unencrypted,
and/or card is PINless, as otherwise every signing attempt forces a
manual password/PIN prompt.

If ssh-keygen was able to access ssh-agent, it would be up to ssh-agent
to hold the unencrypted private key, or to keep the pkcs11 smartcard
open after having requested the PIN once. It could also be up to
ssh-agent feature of gpg-agent to use a GnuPG card natively.

Use case:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-April/033813.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list