ssh-keygen support for ssh-agent

Damien Miller djm at mindrot.org
Sat Apr 11 13:52:17 AEST 2015 

Agent support for ssh-keygen isn't a bad idea - could you please
file a feature request at https://bugzilla.mindrot.org/ so we don't
forget it?

-d

On Fri, 10 Apr 2015, Boles?aw Tokarski wrote:

> Hello,
> 
> I am in a PoC of setting up a SSH CA for the SSH host keys. The idea is to
> add an SSH CA service that would generate SSH certificates for servers that
> we install automatically. This way, we would be sure that if a server
> presents itself with a certificate signed with the CA, it belongs to us,
> and is no MitM.
> 
> I settled on a GnuPG smartcard to go with the SSH CA. This would secure the
> private key material from remote attack, and the smartcard itself is
> protected by a PIN. The smartcard is supported by opensc-pkcs11.so, and it
> works nicely with ssh authentication, with native ssh-agent with "ssh-add
> -s opensc-pksc11.so", with gpg-agent's ssh agent support, and it neatly
> generates SSH certificates with "ssh-keygen -D opensc-pkcs11.so".
> 
> Now, my design assumed that the SSH CA would only require PIN entering on
> its PIN-pad after, say, a reboot. ssh-agent works like this for ssh
> authentication - it keeps the card open until it's removed or the machine
> gets turned off. Unfortunately, ssh-keygen cannot currently utilize
> ssh-agent for generating host certificates. It opens the smartcard with the
> pkcs11 library on its own, requests the PIN for every signature, and closes
> the card.
> 
> Of course, I could use a card reader that doesn't have a PIN-pad. I guess I
> could issue "echo 1234 |ssh-keygen -D opensc-pkcs11.so". Or I could totally
> resign from using a smartcard. But then, the same happens if I use a
> password-protected private key as the CA - I get prompted for the key
> password on each run. All of those approaches are not ideal, to say the
> least.
> 
> What I need is a process that keeps the smartcard open, so that it's
> possible to only enter the PIN once. This is done for ssh in ssh-agent.
> Would it be possible to add ssh-agent support to ssh-keygen?
> 
> Best regards,
> Boles?aw Tokarski
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list