ssh-agent could not add signed cert when private key stored in yubikey

Jakub Jelen jjelen at
Wed Jan 30 03:19:46 AEDT 2019

On Tue, 2019-01-29 at 22:35 +0800, YC wrote:
> Hi,
> I'm currently stuck with yubikey + signed user key + ssh-agent
> forwarding.
> As 
> noted, I have private key stored in yubikey, public key in 
> ~/.ssh/ and signed public key in ~/.ssh/ on
> PC 
> (see bellow).
> It's not working with this agent forwarding access: 
> PC----Server_A----Server_B. Placing
> private key saved in ~/id_rsa, it works fine! After a simple
> comparsion, 
> I found that when
> private key store in yubikey hardware, ssh-add would not add signed 
> public key ( to ssh-agent, should this be the
> problem? 
> Is there a way to add signed public key to ssh-agent?

This is a known bug tracked here [1] including proposed patch.

There is one possibility to copy the public key and certificate to your
Server A or use the patch attached to the bug [1] (or wait and it will
hopefully land in the next release).


Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

More information about the openssh-unix-dev mailing list