[Bug 2472] Add support to load additional certificates

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Jan 31 09:23:23 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2472

--- Comment #7 from Thomas Jarosch <thomas.jarosch at intra2net.com> ---
Hi Damien,

cooking this patchset a little further:

(In reply to Damien Miller from comment #5)
> Looking at the patch, I like the idea but I don't think we need to
> modify ssh-agent to accommodate it.
> 
> Couldn't ssh-add just graft the extra certificates to the private
> key and send them? This is similar to how it send implicit
> *-cert.pub certificates now.

it's been a while, but I remember vaguely that if you remove a
certificate again with the current upstream code, it will call
sshkey_free(id->key) and this will kill the PKCS#11 provider, too.

-> refcounting is needed, especially if multiple certs reference the
same PKCS#11 token / private key.

I could split the refcounting and the "key shadowing" into two distinct
code changes if there's a chance of upstreaming the concept in general.
Not sure if it's worth the effort since it almost touches the same code
places.

> It might be a little more hassle for the user, since they will need
> to have their private keys available at the same time as their
> certificates, but IMO users shouldn't be able to add keys to an
> agent *without* presenting their private section.

if you want to go this route, there are still two unsolved riddles
here:
- How would one specify the filename for the public certs when using
PKCS#11?
- Also: How would it pick up multiple certs for the same private key?

Also agent-forwarding probably won't work, you would need to copy the
certificates files to the machine you want to hop to the next machine.

Cheers,
Thomas

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list