ssh-agent could not add signed cert when private key stored in yubikey
Damien Miller
djm at mindrot.org
Wed Jan 30 09:58:26 AEDT 2019
On Tue, 29 Jan 2019, YC wrote:
> Hi,
>
> I'm currently stuck with yubikey + signed user key + ssh-agent forwarding.
> As https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html noted,
> I have private key stored in yubikey, public key in ~/.ssh/id_rsa.pub and
> signed public key in ~/.ssh/id_rsa-cert.pub on PC (see bellow).
There is currently no way to add certificates to an agent for PKCS#11
keys.
That being said, you don't strictly need to. ssh is able to graft the
certificates to private keys held in agents or tokens at runtime - you
just need to specify the certificate(s) using the IdentityFile directive.
Note that this won't work using agent forwarding, but it will work using
ProxyJump.
-d
More information about the openssh-unix-dev
mailing list