[Bug 3212] Ability to add ssh certificate to ssh agent to existing private key without rereading private key from filesystem
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Jan 19 15:13:46 AEDT 2026
https://bugzilla.mindrot.org/show_bug.cgi?id=3212
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
If we were to allow this then I think we'd need proof-of-possession of
the private key before allowing the user to attach a new certificate to
it.
Doing this is tricky, because it means a multi-step protocol between
the client and the agent, and no other agent request is similarly
multi-step. (It needs to be multi-step because the agent would need to
send the client a cookie/challenge to ensure the proof is fresh and not
a replay).
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list