[Bug 3869] Loading "only" an ssh certificate in ssh-agent with ssh-add unnecessarily loads the private key and always exits with an error even when successful
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Sep 29 12:58:11 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3869
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Except for this spurious error:
> Could not add identity "/home/brendan/.ssh/id_ed25519": success
Everything you describe here is intended behaviour.
ssh-agent does not monitor files for changes. It only receives keys
when the user loads them via ssh-add. It *can't* monitor local files,
as the keys being loaded may not even be on the same host as ssh-agent
(consider agent forwarding). Sometimes there is no file to monitor,
e.g. keys being loaded from standard input, from a PKCS#11 token or
from a FIDO device.
Likewise, loading a certificate *must* require the private key too.
There are two reasons for this.
The first reason is practical: ssh-agent is essentially a repository
for private keys and, in ssh-agent's view, certificates are just
another type of private key.
The second reason has to do with security. If it is possible to load a
certificate without the private key, then there is no proof that the
user loading the certificate has *access* to the private key material
that corresponds to that certificate. Relaxing this criteria would
allow, for example, an attacker on a machine to which a user had
forwarded their agent to load an unexpected certificate that could be
used with a previously-loaded private key. Under some circumstances,
this could be worse than the attacker having access to the agent at
all.
Sorry, we don't intend to change any of this. I will fix the spurious
error message though.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list