ssh-agent could not add signed cert when private key stored in yubikey

Damien Miller djm at mindrot.org
Wed Jan 30 09:58:26 AEDT 2019


On Tue, 29 Jan 2019, YC wrote:

> Hi,
> 
> I'm currently stuck with yubikey + signed user key + ssh-agent forwarding.
> As https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html noted,
> I have private key stored in yubikey, public key in ~/.ssh/id_rsa.pub and
> signed public key in ~/.ssh/id_rsa-cert.pub on PC (see bellow).

There is currently no way to add certificates to an agent for PKCS#11
keys.

That being said, you don't strictly need to. ssh is able to graft the
certificates to private keys held in agents or tokens at runtime - you
just need to specify the certificate(s) using the IdentityFile directive.

Note that this won't work using agent forwarding, but it will work using
ProxyJump.

-d


More information about the openssh-unix-dev mailing list