Insert certificate into agent for existing key?
Brian Candler
b.candler at pobox.com
Wed Feb 10 19:00:29 AEDT 2021
On 09/02/2021 23:51, Damien Miller wrote:
>> So basically: can I send just a certificate to ssh-agent? And if so,
>> how is that done?
> Yes, it is possible but poorly documented (patches welcome as always).
> The format for encoding a certificate with private key is is roughly
> {cert, private fields}. See sshkey.c:sshkey_private_serialize_opt() for
> the actual code, but it's basically the following, where "certificate
> blob" is the entire public certificate key.
That's how to send a (private key, certificate) pair - I have that
working already, thanks to the go x/crypto/ssh/agent library.
However, the question was whether it's possible to send just a
certificate by itself, which corresponds to a private key that the agent
already has. And at the moment, I think the answer is "no you can't".
More information about the openssh-unix-dev
mailing list