--- Comment #14 from Thomas Jarosch <thomas.jaro...@intra2net.com> ---
I've began working on this patch set again. It's ported to openssh
What I don't like about the implementation is that it creates an
"empty" private key via sshkey_add_private() in ssh-add to reuse the
existing sshkey_private_serialize() infrastructure. Later on ssh-agent
uses the new sshkey_is_private() "hack" to determine if it's a just
cert or full private key.
A cleaner approach would be this:
- Add SSH2_AGENTC_ADD_CERTIFICATE_CONSTRAINED on-the-wire id
- Add sshkey_cert_serialize() and _deserialize()
- Load certificate via "ssh-add some-cert-file.pub"
if a matching private key is already available
(either loaded or on a PKCS11 token).
The clean extension to the ssh-agent protocol could be added to
and also be re-used by gpg2's ssh-agent emulation in the near future.
I've also checked the discussion on the resolved bug 2436
and it also had the goal to use multiple certificates.
Having ssh-agent support for this would be the next step.
[side note: The current PKCS11 code in ssh-add skips loading *any*
certificate. This might be due to the refcounting issue as outlined in
What do you think?
You mentioned earlier:
> but IMO users shouldn't be able to add keys to an agent *without*
> presenting their private section.
Can you elaborate a little more on this? Do you see a security risk?
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
openssh-bugs mailing list