[openssh-commits] [openssh] 02/02: upstream: In ssh(1), don't try to match certificates held in an

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit d7950aca8eacae8b889d92c669e913111af75984
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Wed Jan 21 23:58:20 2026 +0000

    upstream: In ssh(1), don't try to match certificates held in an
    
    agent to private keys.
    
    This matching is done to support certificates that were
    loaded without their private key material, but is unnecessary for
    agent-hosted certificate which always have private key material
    loaded in the agent. Worse, this matching would mess up the
    request sent to the agent in such a way as to break usage of these
    keys when the key usage was restricted in the agent.
    
    Patch from Thibault Cools via bz3752, ok dtucker@
    
    OpenBSD-Commit-ID: ebfe37817dad4841c53339930565242ec683d726
---
 sshconnect2.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sshconnect2.c b/sshconnect2.c
index b3679c9d7..53e1f197d 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.378 2025/09/15 04:51:35 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.379 2026/01/21 23:58:20 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1341,7 +1341,7 @@ sign_and_send_pubkey(struct ssh *ssh, Identity *id)
 	 * This will try to set sign_id to the private key that will perform
 	 * the signature.
 	 */
-	if (sshkey_is_cert(id->key)) {
+	if (id->agent_fd == -1 && sshkey_is_cert(id->key)) {
 		TAILQ_FOREACH(private_id, &authctxt->keys, next) {
 			if (sshkey_equal_public(id->key, private_id->key) &&
 			    id->key->type != private_id->key->type) {

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.