Finding a resident key stored in an agent without a corresponding file?

Damien Miller djm at
Tue Mar 23 16:17:46 AEDT 2021

On Sun, 21 Mar 2021, Lars Noodén wrote:

> I have a question about SK keys when there are more than 6 keys in the
> agent.
> If I have added an SK key as resident to a hardware token, using the -O
> resident option with ssh-keygen(1), then the -K option with ssh-add(1)
> will get the resident key later from the token and store it in the agent.
> $ ssh-add -K
> With six or fewer keys in the agent, assuming default MaxAuthTries in
> the server, it is then only a matter of having the SSH client use the
> agent and the right key will be found.  However, with many keys already
> in the agent, the key has to be specified explicitly or the 'wrong' keys
> will get tried first.
> I'd like to point the client directly to the resident key without first
> extracting the resident key and saving it to the file system.  How may I
> tell the SSH client which key to use without a file on disk?

no such facility exists at present.

It wouldn't be hard to add such a capability to ssh, but we'd need to
figure out a good UI for it. FIDO2 AFAIK stores resident keys by 
{ user, application } name, so adding some way to download resident
keys and match/filter on these attributes would be the place to start.

This will probably require a change to the sk-api.h interface between
ssh and the FIDO hardware.

A slightly-terrible workaround might be to download all the keys to the
agent and delete the "wrong" ones.


More information about the openssh-unix-dev mailing list