Insert certificate into agent for existing key?
Brian Candler
b.candler at pobox.com
Tue Feb 9 00:56:53 AEDT 2021
On 08/02/2021 12:58, Jakub Jelen wrote:
> this was discussed in the following two bugs in context of pkcs11
> keys, but without any definite solution.
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2472
> https://bugzilla.mindrot.org/show_bug.cgi?id=2808
Thanks for those references.
I'm not sure I understand the last comment
<https://bugzilla.mindrot.org/show_bug.cgi?id=2808#c2>:
"BTW You can use certificates in ssh already using keys stored in an
agent or token. Certificates are grafted to external keys at
authentication time if they are available."
I *think* it's saying that you can authenticate using a private key in
an agent together with a corresponding id_xxx.cert file on the
filesystem. But that means if you download your certificate from
somewhere, you have to write it to the filesystem in a suitable
location. Also, if you're doing multiple login hops using agent
forwarding, you'd have to copy the certificate to each hop where the ssh
client runs to ssh to the next hop. Is that right?
Alternatively: you could reload your private key and cert together into
the agent . That would presumably require re-unlocking the private key
with passphrase, and wouldn't work for private keys stored in hardware
tokens.
Thanks,
Brian.
More information about the openssh-unix-dev
mailing list