Loading (Only) a Cert Into the Agent

Jochen Bern Jochen.Bern at binect.de
Fri Sep 10 17:53:18 AEST 2021

A quick question (I hope): I built an SSH user CA that would allow users
to SSH in (using their keypair) and thus trigger creation of a matching
cert. What I would *like* to do is to (add agent forwarding to the login
and) have the CA load the cert straight into the agent.

What happens is that doing an ssh-add on the CA fails because it cannot
find the *private* key in a local file, and even when I download the
cert and do the ssh-add locally, I need to enter the passphrase into the
terminal, presumably because it does read the privkey from its file as
well - in spite of the fact that the privkey is already loaded in the
agent all the time.

Is this a principal limitation of the code/protocol/security model,
something I can work around (though I don't yet see how), a feature
request with a chance of getting implemented, ... ?

Kind regards,
Jochen Bern

Binect GmbH

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210910/511778b9/attachment.p7s>

More information about the openssh-unix-dev mailing list