[Bug 2472] Add support to load additional certificates
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Jan 31 09:23:23 AEDT 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2472
--- Comment #7 from Thomas Jarosch <thomas.jarosch at intra2net.com> ---
Hi Damien,
cooking this patchset a little further:
(In reply to Damien Miller from comment #5)
> Looking at the patch, I like the idea but I don't think we need to
> modify ssh-agent to accommodate it.
>
> Couldn't ssh-add just graft the extra certificates to the private
> key and send them? This is similar to how it send implicit
> *-cert.pub certificates now.
it's been a while, but I remember vaguely that if you remove a
certificate again with the current upstream code, it will call
sshkey_free(id->key) and this will kill the PKCS#11 provider, too.
-> refcounting is needed, especially if multiple certs reference the
same PKCS#11 token / private key.
I could split the refcounting and the "key shadowing" into two distinct
code changes if there's a chance of upstreaming the concept in general.
Not sure if it's worth the effort since it almost touches the same code
places.
> It might be a little more hassle for the user, since they will need
> to have their private keys available at the same time as their
> certificates, but IMO users shouldn't be able to add keys to an
> agent *without* presenting their private section.
if you want to go this route, there are still two unsolved riddles
here:
- How would one specify the filename for the public certs when using
PKCS#11?
- Also: How would it pick up multiple certs for the same private key?
Also agent-forwarding probably won't work, you would need to copy the
certificates files to the machine you want to hop to the next machine.
Cheers,
Thomas
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list