Loading (Only) a Cert Into the Agent

Jakub Jelen jjelen at redhat.com
Fri Sep 10 18:00:08 AEST 2021

On 9/10/21 9:53 AM, Jochen Bern wrote:
> A quick question (I hope): I built an SSH user CA that would allow users
> to SSH in (using their keypair) and thus trigger creation of a matching
> cert. What I would *like* to do is to (add agent forwarding to the login
> and) have the CA load the cert straight into the agent.
> What happens is that doing an ssh-add on the CA fails because it cannot
> find the *private* key in a local file, and even when I download the
> cert and do the ssh-add locally, I need to enter the passphrase into the
> terminal, presumably because it does read the privkey from its file as
> well - in spite of the fact that the privkey is already loaded in the
> agent all the time.
> Is this a principal limitation of the code/protocol/security model,
> something I can work around (though I don't yet see how), a feature
> request with a chance of getting implemented, ... ?

this was discussed since 2015 in context of PKCS #11 backed keys in 
hardware, but the protocol was not yet updated to support loading 
separate certificates:


Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.

More information about the openssh-unix-dev mailing list