[PATCH] ssh-agent: Add support to load additional certificates

Thomas Jarosch thomas.jarosch at intra2net.com
Fri Aug 14 02:04:30 AEST 2015


Hi,

On Sunday, 26. July 2015 16:52:18 you wrote:
> Add support to load additional certificates
> for already loaded private keys. Useful
> if the private key is on a PKCS#11 hardware token.
> 
> The private keys inside ssh-agent are now using a refcount
> to share the private parts between "Identities".
> The reason for this change was that the PKCS#11 code
> might have redirected ("wrap") the RSA functions to a hardware token.
> We don't want to mess with those internals.
> 
> Tested with an OpenGPG card. Patch developed against 6.9p
> and applies to original 6.9, too.
> 
> Please CC: comments.
> 
> Signed-off-by: Thomas Jarosch <thomas.jarosch at intra2net.com>

any comment on this?

Is the concept sound or did I take the wrong turn here?

If upstream considers this the way to go, I can try
to split up the patch into smaller pieces like this:

- sshkey.c: Add "int sshkey_is_private(const struct sshkey *)" function
- ssh-agent: Transition to private key refcounting
- ssh-agent: Implement private key "shadowing"
- ssh-add: Add support to add plain certificates

Thanks in advance,
Thomas



More information about the openssh-unix-dev mailing list