PrivateKeyCommand config idea

Damien Miller djm at
Sun Mar 10 19:38:44 AEDT 2024

On Fri, 8 Mar 2024, openssh at wrote:

> G'day,
> In our infrastructure we're trying to be more diligent about switching
> to sk keys (and/or certs backed by sk keys.) However, there are some
> services like Gerrit and Jenkins which are written in java and I guess
> they will never support sk keys, or at least, it seems like it won't
> happen any time soon.
> For such services, typical practices at the moment include putting
> passphrases on the keys using OpenSSH's built-in AES128 encryption,
> and using GnuPG's ssh integration to create gpg-backed keys. These
> existing solutions cause various inconveniences, like needing to
> switch to a different terminal to get the passphrase out of Pass,
> or running into problems when trying to do agent-forwarding with
> gpg-backed keys on non-Linux OSes. Even on Linux, I think such a
> workflow can be a bit flaky at times.
> I wondered if there would be support for adding a new configuration
> option called something like PrivateKeyCommand, analogous to existing
> "*Command" configs like AuthorizedKeysCommand. In practice I imagine
> it looks like this:
>   Host
>      PrivateKeyCommand pass show ssh/gerrit_ed25519
> I suppose another possibility for the name could be IdentityCommand,
> analogous to IdentityFile.
> If you like, and time permitting, I may be interested in trying to
> implement such a patch -- but before I invest the work, I wondered if
> there would be support for including it, or would it introduce some
> sort of issue that I've probably overlooked?

Would you be able to do this using the ssh-agent protocol? It's
relatively easy to make custom agent implentations for special use
cases, e.g. using


More information about the openssh-unix-dev mailing list