[Bug 3111] New: Option AddKeysToAgent does not load certificates into ssh-agent
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Jan 14 05:12:18 AEDT 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3111
Bug ID: 3111
Summary: Option AddKeysToAgent does not load certificates into
ssh-agent
Product: Portable OpenSSH
Version: 8.1p1
Hardware: All
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: ssh-agent
Assignee: unassigned-bugs at mindrot.org
Reporter: japlin at gmail.com
Using the option AddKeysToAgent loads key data, but not certificate
data, into ssh-agent when a certificate is used to authenticate a
session. Such a certificate thus cannot be used with agent forwarding
unless manually loaded via ssh-add. Manual loading works as expected.
Reproduction setup:
foo and bar both accept keys signed by the same Certificate Authority.
Each has a unique keypair signed by the same Certificate Authority.
Manual (working):
me at foo:~$ ssh-add ~/.ssh/id_ed25519
Enter passphrase for /home/me/.ssh/id_ed25519:
Identity added: /home/me/.ssh/id_ed25519 (me at foo)
Certificate added: /home/me/.ssh/id_ed25519-cert.pub (me at foo.local)
me at foo:~$ ssh-add -L
ssh-ed25519 x me at foo
ssh-ed25519-cert-v01 at openssh.com x me at foo.local
me at foo:~$ ssh -A -v -o AddKeysToAgent=no me at bar.local
...
debug1: Offering public key: /home/me/.ssh/id_ed25519 ED25519-CERT
SHA256:x agent
debug1: Server accepts key: /home/me/.ssh/id_ed25519 ED25519-CERT
SHA256:x agent
debug1: Authentication succeeded (publickey).
...
me at bar:~$ ssh-add -L
ssh-ed25519 x me at foo
ssh-ed25519-cert-v01 at openssh.com x me at foo.local
me at bar:~$ ssh -A -v -o AddKeysToAgent=no me at foo.local
...
debug1: Offering public key: me at foo ED25519-CERT SHA256:x agent
debug1: Server accepts key: me at foo ED25519-CERT SHA256:x agent
debug1: Authentication succeeded (publickey).
...
me at foo:~$
AddKeysToAgent (not working):
me at foo:~$ ssh-add -L
The agent has no identities.
me at foo:~$ ssh -A -v -o AddKeysToAgent=yes me at bar.local
...
debug1: Offering public key: /home/me/.ssh/id_ed25519-cert.pub
ED25519-CERT SHA256:x
debug1: Server accepts key: /home/me/.ssh/id_ed25519-cert.pub
ED25519-CERT SHA256:x
Enter passphrase for /home/me/.ssh/id_ed25519:
debug1: identity added to agent: /home/me/.ssh/id_ed25519
debug1: Authentication succeeded (publickey).
...
me at bar:~$ ssh-add -L
ssh-ed25519 x me at foo
me at bar:~$ ssh -A -v -o AddKeysToAgent=yes me at foo.local
...
debug1: Will attempt key: me at foo ED25519 SHA256:x agent
....
debug1: Offering public key: me at foo ED25519 SHA256:x agent
...
(authentication fails, or a local key is picked)
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list