[PATCH] ssh-agent: Add support to load additional certificates
Damien Miller
djm at mindrot.org
Mon Aug 17 10:33:54 AEST 2015
Hi,
This seems like a resonable idea.
Could you please attach this to a bug at https://bugzilla.mindrot.org/ ?
This will ensure it won't get lost.
On Thu, 13 Aug 2015, Thomas Jarosch wrote:
> Hi,
>
> On Sunday, 26. July 2015 16:52:18 you wrote:
> > Add support to load additional certificates
> > for already loaded private keys. Useful
> > if the private key is on a PKCS#11 hardware token.
> >
> > The private keys inside ssh-agent are now using a refcount
> > to share the private parts between "Identities".
> > The reason for this change was that the PKCS#11 code
> > might have redirected ("wrap") the RSA functions to a hardware token.
> > We don't want to mess with those internals.
> >
> > Tested with an OpenGPG card. Patch developed against 6.9p
> > and applies to original 6.9, too.
> >
> > Please CC: comments.
> >
> > Signed-off-by: Thomas Jarosch <thomas.jarosch at intra2net.com>
>
> any comment on this?
>
> Is the concept sound or did I take the wrong turn here?
>
> If upstream considers this the way to go, I can try
> to split up the patch into smaller pieces like this:
>
> - sshkey.c: Add "int sshkey_is_private(const struct sshkey *)" function
> - ssh-agent: Transition to private key refcounting
> - ssh-agent: Implement private key "shadowing"
> - ssh-add: Add support to add plain certificates
>
> Thanks in advance,
> Thomas
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list