ssh-agent holds many certs. best way to ensure sshd sees them all besides increasing MaxAuthTries?

Damien Miller djm at mindrot.org
Wed Jun 23 10:57:15 AEST 2021


On Tue, 22 Jun 2021, Christian, Mark wrote:

> Wondering how I might be able to configure my ssh client or server so
> that any one of my ssh certificates may be used for authentication? Are
> there better ways to check for more than a couple certificates than by
> increasing sshd_config MaxAuthTries? I was thinking ssh -
> oCertificateFile could be used but I'm struggling to figure out how
> since my ssh-agent is the only place where the certs and private keys
> are located.
> 
> Each certificate may have a different principal, policy or validity,
> hence the multiple certificates.

You should be able to use CertificateFile+IdentitiesOnly to control
which agent-hosted certificates are offered. See
sshconnect2.c:pubkey_prepare() for the gory details.

-d


More information about the openssh-unix-dev mailing list