Loading (Only) a Cert Into the Agent
Brian Candler
b.candler at pobox.com
Fri Sep 10 21:50:02 AEST 2021
On 10/09/2021 11:38, Damien Miller wrote:
> But you don't actually need to load a certificate into an agent to
> use it with an agent! You can just have the private key in the agent
> and specify CertificateFile in ~/.ssh/config or on the command-line
> and ssh will match the private key to the certificate when it is time
> to use it (well, it should anyway).
That is true, but:
a. if you are generating the certificate dynamically, you have to write
it out to the filesystem. Usually not a problem if the certificate
fetch is scripted.
b. if you are doing multi-hop ssh logins with agent forwarding, you have
to copy the certificate file to all intermediate hosts. That's a bigger
pain.
More information about the openssh-unix-dev
mailing list