[Bug 2472] Add support to load additional certificates

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Feb 22 02:45:01 AEDT 2018


Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
                 CC|                            |jjelen at redhat.com

--- Comment #15 from Jakub Jelen <jjelen at redhat.com> ---
> > but IMO users shouldn't be able to add keys to an agent *without*
> > presenting their private section.
> Can you elaborate a little more on this? Do you see a security risk?

If the server would accept such key, it would be a big security issue
of that server. I believe it is just a good practice making sane also
the client applications that is not going to allow potentially
broken/breaking configuration. You can send the public key/certificate
tests but you can really not authenticate without the private

Thank you for the work on the patch. It sounds like a useful feature to
do and support. But I am not sure if this is the best way how to do
that. Your proposal about adding
even for the price of extending the protocol for one more message.

For the patch to be more acceptable, I believe few test cases to verify
the general functionality would be good. There is already one
almost-working test with ssh-agent and soft-pkcs11 module, but I
elaborated on it more in the bug #2817, which is solving different
problem of PKCS#11 support, but can be used as a reference for the test

You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list