[Bug 2472] Add support to load additional certificates
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Jan 22 21:05:34 AEDT 2019
https://bugzilla.mindrot.org/show_bug.cgi?id=2472
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2934|0 |1
is obsolete| |
--- Comment #16 from Damien Miller <djm at mindrot.org> ---
Created attachment 3227
--> https://bugzilla.mindrot.org/attachment.cgi?id=3227&action=edit
add SSH2_AGENTC_ADD_CERTIFICATES to add certificates for matching with
private keys
This is an implementation of a SSH2_AGENTC_ADD_CERTIFICATES message in
ssh-agent to load one or more certificates that will be matched to
private keys if/when they are loaded.
I'm not convinced that being able to add certificates to one's agent
yields any security problem. The authenticator is possession of the
private key, and access to an agent socket is already approximately
equivalent to that - an attacker could get equivalent results without
ever touching the agent by grafting a certificate to an agent key
themselves.
BTW, it is already possible to use specify certificates in ssh that
will be used with keys from the agent of PKCS#11 tokens. Maybe this
isn't needed at all?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list