[Bug 2472] Add support to load additional certificates

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Feb 14 09:50:04 AEDT 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2472

--- Comment #14 from Thomas Jarosch <thomas.jarosch at intra2net.com> ---
Hi Damien,

I've began working on this patch set again. It's ported to openssh
7.6p1 already.

What I don't like about the implementation is that it creates an
"empty" private key via sshkey_add_private() in ssh-add to reuse the
existing sshkey_private_serialize() infrastructure. Later on ssh-agent
uses the new sshkey_is_private() "hack" to determine if it's a just
cert or full private key.

A cleaner approach would be this:

- Add SSH2_AGENTC_ADD_CERTIFICATE_CONSTRAINED on-the-wire id
- Add sshkey_cert_serialize() and _deserialize()
- Load certificate via "ssh-add some-cert-file.pub"
  if a matching private key is already available
  (either loaded or on a PKCS11 token).

The clean extension to the ssh-agent protocol could be added to
https://tools.ietf.org/html/draft-miller-ssh-agent-02
and also be re-used by gpg2's ssh-agent emulation in the near future.

I've also checked the discussion on the resolved bug 2436
and it also had the goal to use multiple certificates.
Having ssh-agent support for this would be the next step.

[side note: The current PKCS11 code in ssh-add skips loading *any*
certificate. This might be due to the refcounting issue as outlined in
comment 7]

What do you think?


You mentioned earlier:
> but IMO users shouldn't be able to add keys to an agent *without*
> presenting their private section.

Can you elaborate a little more on this? Do you see a security risk?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list