[PATCH] ssh-agent: Add support to load additional certificates

Damien Miller djm at mindrot.org
Mon Aug 17 10:33:54 AEST 2015


Hi,

This seems like a resonable idea.

Could you please attach this to a bug at https://bugzilla.mindrot.org/ ?
This will ensure it won't get lost. 

On Thu, 13 Aug 2015, Thomas Jarosch wrote:

> Hi,
> 
> On Sunday, 26. July 2015 16:52:18 you wrote:
> > Add support to load additional certificates
> > for already loaded private keys. Useful
> > if the private key is on a PKCS#11 hardware token.
> > 
> > The private keys inside ssh-agent are now using a refcount
> > to share the private parts between "Identities".
> > The reason for this change was that the PKCS#11 code
> > might have redirected ("wrap") the RSA functions to a hardware token.
> > We don't want to mess with those internals.
> > 
> > Tested with an OpenGPG card. Patch developed against 6.9p
> > and applies to original 6.9, too.
> > 
> > Please CC: comments.
> > 
> > Signed-off-by: Thomas Jarosch <thomas.jarosch at intra2net.com>
> 
> any comment on this?
> 
> Is the concept sound or did I take the wrong turn here?
> 
> If upstream considers this the way to go, I can try
> to split up the patch into smaller pieces like this:
> 
> - sshkey.c: Add "int sshkey_is_private(const struct sshkey *)" function
> - ssh-agent: Transition to private key refcounting
> - ssh-agent: Implement private key "shadowing"
> - ssh-add: Add support to add plain certificates
> 
> Thanks in advance,
> Thomas
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 


More information about the openssh-unix-dev mailing list