[Bug 3869] Loading "only" an ssh certificate in ssh-agent with ssh-add unnecessarily loads the private key and always exits with an error even when successful

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Sep 29 12:58:11 AEST 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3869

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Except for this spurious error:

> Could not add identity "/home/brendan/.ssh/id_ed25519": success

Everything you describe here is intended behaviour.

ssh-agent does not monitor files for changes. It only receives keys
when the user loads them via ssh-add. It *can't* monitor local files,
as the keys being loaded may not even be on the same host as ssh-agent
(consider agent forwarding). Sometimes there is no file to monitor,
e.g. keys being loaded from standard input, from a PKCS#11 token or
from a FIDO device.

Likewise, loading a certificate *must* require the private key too.
There are two reasons for this.

The first reason is practical: ssh-agent is essentially a repository
for private keys and, in ssh-agent's view, certificates are just
another type of private key.

The second reason has to do with security. If it is possible to load a
certificate without the private key, then there is no proof that the
user loading the certificate has *access* to the private key material
that corresponds to that certificate. Relaxing this criteria would
allow, for example, an attacker on a machine to which a user had
forwarded their agent to load an unexpected certificate that could be
used with a previously-loaded private key. Under some circumstances,
this could be worse than the attacker having access to the agent at
all.

Sorry, we don't intend to change any of this. I will fix the spurious
error message though.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list