[PATCH] ssh-agent: Add support to load additional certificates
Thomas Jarosch
thomas.jarosch at intra2net.com
Fri Aug 14 02:04:30 AEST 2015
Hi,
On Sunday, 26. July 2015 16:52:18 you wrote:
> Add support to load additional certificates
> for already loaded private keys. Useful
> if the private key is on a PKCS#11 hardware token.
>
> The private keys inside ssh-agent are now using a refcount
> to share the private parts between "Identities".
> The reason for this change was that the PKCS#11 code
> might have redirected ("wrap") the RSA functions to a hardware token.
> We don't want to mess with those internals.
>
> Tested with an OpenGPG card. Patch developed against 6.9p
> and applies to original 6.9, too.
>
> Please CC: comments.
>
> Signed-off-by: Thomas Jarosch <thomas.jarosch at intra2net.com>
any comment on this?
Is the concept sound or did I take the wrong turn here?
If upstream considers this the way to go, I can try
to split up the patch into smaller pieces like this:
- sshkey.c: Add "int sshkey_is_private(const struct sshkey *)" function
- ssh-agent: Transition to private key refcounting
- ssh-agent: Implement private key "shadowing"
- ssh-add: Add support to add plain certificates
Thanks in advance,
Thomas
More information about the openssh-unix-dev
mailing list