[Bug 3681] New: SSH Agent Certificate Not Recognized with 'IdentitiesOnly' Configured
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Apr 20 06:52:01 AEST 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3681
Bug ID: 3681
Summary: SSH Agent Certificate Not Recognized with
'IdentitiesOnly' Configured
Product: Portable OpenSSH
Version: 9.7p1
Hardware: All
OS: All
Status: NEW
Severity: trivial
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: contact at alexandre-petit.fr
Created attachment 3812
--> https://bugzilla.mindrot.org/attachment.cgi?id=3812&action=edit
git diff for fix exemple (sshconnect2.c)
The certificate present in the SSH agent is not added to the keys to be
tested when 'IdentitiesOnly yes' is configured in the ~/.ssh/config
file.
$ cat ~/.ssh/config
Host exemple.org
IdentityFile ~/.ssh/id_ed25519.pub
IdentitiesOnly Yes
$ ssh-add -l
256 SHA256:<FINGERPRINT> <COMMENT> (ED25519)
256 SHA256:<FINGERPRINT> <COMMENT> (ED25519-CERT)
$ ls ~/.ssh/config
config id_ed25519.pub
With the same configuration, 'ssh' defaults to looking for a
certificate in ~/.ssh/id_ed25519.pub-cert::
$ ssh -vvv user at exemple.org
debug1: identity file ~/.ssh/id_ed25519.pub type 3
debug1: identity file ~/.ssh/id_ed25519.pub-cert type -1
I believe the expected behavior should also include searching for the
certificate in the agent.
I have attempted a very simple and unpretentious fix. The .diff file is
attached.
The certificate is added from the agent with 'IdentitiesOnly Yes'. The
code is redundant, but it works.
Yet another inconsistency: 'ssh-keygen' generates certificates in the
form id_ed25519-cert.pub, whereas "ssh" searches for
id_ed25519.pub-cert.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list