[Bug 3681] New: SSH Agent Certificate Not Recognized with 'IdentitiesOnly' Configured

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Apr 20 06:52:01 AEST 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3681

            Bug ID: 3681
           Summary: SSH Agent Certificate Not Recognized with
                    'IdentitiesOnly' Configured
           Product: Portable OpenSSH
           Version: 9.7p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: contact at alexandre-petit.fr

Created attachment 3812
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3812&action=edit
git diff for fix exemple (sshconnect2.c)

The certificate present in the SSH agent is not added to the keys to be
tested when 'IdentitiesOnly yes' is configured in the ~/.ssh/config
file.

$ cat ~/.ssh/config
Host exemple.org
        IdentityFile ~/.ssh/id_ed25519.pub
        IdentitiesOnly Yes

$ ssh-add -l
256 SHA256:<FINGERPRINT> <COMMENT> (ED25519)
256 SHA256:<FINGERPRINT> <COMMENT> (ED25519-CERT)

$ ls ~/.ssh/config
config    id_ed25519.pub

With the same configuration, 'ssh' defaults to looking for a
certificate in ~/.ssh/id_ed25519.pub-cert::

$ ssh -vvv user at exemple.org
debug1: identity file ~/.ssh/id_ed25519.pub type 3
debug1: identity file ~/.ssh/id_ed25519.pub-cert type -1

I believe the expected behavior should also include searching for the
certificate in the agent.
I have attempted a very simple and unpretentious fix. The .diff file is
attached.
The certificate is added from the agent with 'IdentitiesOnly Yes'. The
code is redundant, but it works.

Yet another inconsistency: 'ssh-keygen' generates certificates in the
form id_ed25519-cert.pub, whereas "ssh" searches for
id_ed25519.pub-cert.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list