[Bug 2472] Add support to load additional certificates
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Feb 14 09:50:04 AEDT 2018
https://bugzilla.mindrot.org/show_bug.cgi?id=2472
--- Comment #14 from Thomas Jarosch <thomas.jarosch at intra2net.com> ---
Hi Damien,
I've began working on this patch set again. It's ported to openssh
7.6p1 already.
What I don't like about the implementation is that it creates an
"empty" private key via sshkey_add_private() in ssh-add to reuse the
existing sshkey_private_serialize() infrastructure. Later on ssh-agent
uses the new sshkey_is_private() "hack" to determine if it's a just
cert or full private key.
A cleaner approach would be this:
- Add SSH2_AGENTC_ADD_CERTIFICATE_CONSTRAINED on-the-wire id
- Add sshkey_cert_serialize() and _deserialize()
- Load certificate via "ssh-add some-cert-file.pub"
if a matching private key is already available
(either loaded or on a PKCS11 token).
The clean extension to the ssh-agent protocol could be added to
https://tools.ietf.org/html/draft-miller-ssh-agent-02
and also be re-used by gpg2's ssh-agent emulation in the near future.
I've also checked the discussion on the resolved bug 2436
and it also had the goal to use multiple certificates.
Having ssh-agent support for this would be the next step.
[side note: The current PKCS11 code in ssh-add skips loading *any*
certificate. This might be due to the refcounting issue as outlined in
comment 7]
What do you think?
You mentioned earlier:
> but IMO users shouldn't be able to add keys to an agent *without*
> presenting their private section.
Can you elaborate a little more on this? Do you see a security risk?
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list