ssh-agent could not add signed cert when private key stored in yubikey
Jakub Jelen
jjelen at redhat.com
Wed Jan 30 03:19:46 AEDT 2019
On Tue, 2019-01-29 at 22:35 +0800, YC wrote:
> Hi,
>
> I'm currently stuck with yubikey + signed user key + ssh-agent
> forwarding.
> As
> https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html
> noted, I have private key stored in yubikey, public key in
> ~/.ssh/id_rsa.pub and signed public key in ~/.ssh/id_rsa-cert.pub on
> PC
> (see bellow).
>
> It's not working with this agent forwarding access:
> PC----Server_A----Server_B. Placing
> private key saved in ~/id_rsa, it works fine! After a simple
> comparsion,
> I found that when
> private key store in yubikey hardware, ssh-add would not add signed
> public key (id_rsa-cert.pub) to ssh-agent, should this be the
> problem?
> Is there a way to add signed public key to ssh-agent?
This is a known bug tracked here [1] including proposed patch.
There is one possibility to copy the public key and certificate to your
Server A or use the patch attached to the bug [1] (or wait and it will
hopefully land in the next release).
[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2472
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.
More information about the openssh-unix-dev
mailing list