[Bug 2472] Add support to load additional certificates

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Jan 22 21:05:34 AEDT 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=2472

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2934|0                           |1
        is obsolete|                            |

--- Comment #16 from Damien Miller <djm at mindrot.org> ---
Created attachment 3227
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3227&action=edit
add SSH2_AGENTC_ADD_CERTIFICATES to add certificates for matching with
private keys

This is an implementation of a SSH2_AGENTC_ADD_CERTIFICATES message in
ssh-agent to load one or more certificates that will be matched to
private keys if/when they are loaded.

I'm not convinced that being able to add certificates to one's agent
yields any security problem. The authenticator is possession of the
private key, and access to an agent socket is already approximately
equivalent to that - an attacker could get equivalent results without
ever touching the agent by grafting a certificate to an agent key
themselves.

BTW, it is already possible to use specify certificates in ssh that
will be used with keys from the agent of PKCS#11 tokens. Maybe this
isn't needed at all?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list