--- Comment #14 from Thomas Jarosch <> ---
Hi Damien,

I've began working on this patch set again. It's ported to openssh
7.6p1 already.

What I don't like about the implementation is that it creates an
"empty" private key via sshkey_add_private() in ssh-add to reuse the
existing sshkey_private_serialize() infrastructure. Later on ssh-agent
uses the new sshkey_is_private() "hack" to determine if it's a just
cert or full private key.

A cleaner approach would be this:

- Add sshkey_cert_serialize() and _deserialize()
- Load certificate via "ssh-add"
  if a matching private key is already available
  (either loaded or on a PKCS11 token).

The clean extension to the ssh-agent protocol could be added to
and also be re-used by gpg2's ssh-agent emulation in the near future.

I've also checked the discussion on the resolved bug 2436
and it also had the goal to use multiple certificates.
Having ssh-agent support for this would be the next step.

[side note: The current PKCS11 code in ssh-add skips loading *any*
certificate. This might be due to the refcounting issue as outlined in
comment 7]

What do you think?

You mentioned earlier:
> but IMO users shouldn't be able to add keys to an agent *without*
> presenting their private section.

Can you elaborate a little more on this? Do you see a security risk?

You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
openssh-bugs mailing list

Reply via email to