Finding a resident key stored in an agent without a corresponding file?
Damien Miller
djm at mindrot.org
Tue Mar 23 16:17:46 AEDT 2021
On Sun, 21 Mar 2021, Lars Noodén wrote:
> I have a question about SK keys when there are more than 6 keys in the
> agent.
>
> If I have added an SK key as resident to a hardware token, using the -O
> resident option with ssh-keygen(1), then the -K option with ssh-add(1)
> will get the resident key later from the token and store it in the agent.
>
> $ ssh-add -K
>
> With six or fewer keys in the agent, assuming default MaxAuthTries in
> the server, it is then only a matter of having the SSH client use the
> agent and the right key will be found. However, with many keys already
> in the agent, the key has to be specified explicitly or the 'wrong' keys
> will get tried first.
>
> I'd like to point the client directly to the resident key without first
> extracting the resident key and saving it to the file system. How may I
> tell the SSH client which key to use without a file on disk?
no such facility exists at present.
It wouldn't be hard to add such a capability to ssh, but we'd need to
figure out a good UI for it. FIDO2 AFAIK stores resident keys by
{ user, application } name, so adding some way to download resident
keys and match/filter on these attributes would be the place to start.
This will probably require a change to the sk-api.h interface between
ssh and the FIDO hardware.
A slightly-terrible workaround might be to download all the keys to the
agent and delete the "wrong" ones.
-d
More information about the openssh-unix-dev
mailing list