[Bug 3869] Loading "only" an ssh certificate in ssh-agent with ssh-add unnecessarily loads the private key and always exits with an error even when successful

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Sep 29 17:55:08 AEST 2025


https://bugzilla.mindrot.org/show_bug.cgi?id=3869

--- Comment #2 from Brendan Hide <brendan at swiftspirit.co.za> ---
> If it is possible to load a certificate without the private key, then there is no proof that the user loading the certificate has *access* to the private key material that corresponds to that certificate.

Perhaps I don't understand the security model well. If the agent has a
certificate and the client tries to load a new one with a matching
pubkey+signer/etc (and with a newer expiry date), I'm not sure it
really matters that the client doesn't have access to the private key.

As a parallel, cert issuers never have access to your private keys,
only your public keys.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list