[Bug 3111] New: Option AddKeysToAgent does not load certificates into ssh-agent

Mon, 13 Jan 2020 10:13:04 -0800 

https://bugzilla.mindrot.org/show_bug.cgi?id=3111

            Bug ID: 3111
           Summary: Option AddKeysToAgent does not load certificates into
                    ssh-agent
           Product: Portable OpenSSH
           Version: 8.1p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh-agent
          Assignee: [email protected]
          Reporter: [email protected]

Using the option AddKeysToAgent loads key data, but not certificate
data, into ssh-agent when a certificate is used to authenticate a
session. Such a certificate thus cannot be used with agent forwarding
unless manually loaded via ssh-add. Manual loading works as expected.

Reproduction setup:

foo and bar both accept keys signed by the same Certificate Authority.
Each has a unique keypair signed by the same Certificate Authority.



Manual (working):

me@foo:~$ ssh-add ~/.ssh/id_ed25519
Enter passphrase for /home/me/.ssh/id_ed25519:
Identity added: /home/me/.ssh/id_ed25519 (me@foo)
Certificate added: /home/me/.ssh/id_ed25519-cert.pub ([email protected])
me@foo:~$ ssh-add -L
ssh-ed25519 x me@foo
[email protected] x [email protected]
me@foo:~$ ssh -A -v -o AddKeysToAgent=no [email protected]
...
debug1: Offering public key: /home/me/.ssh/id_ed25519 ED25519-CERT
SHA256:x agent
debug1: Server accepts key: /home/me/.ssh/id_ed25519 ED25519-CERT
SHA256:x agent
debug1: Authentication succeeded (publickey).
...
me@bar:~$ ssh-add -L
ssh-ed25519 x me@foo
[email protected] x [email protected]
me@bar:~$ ssh -A -v -o AddKeysToAgent=no [email protected]
...
debug1: Offering public key: me@foo ED25519-CERT SHA256:x agent
debug1: Server accepts key: me@foo ED25519-CERT SHA256:x agent
debug1: Authentication succeeded (publickey).
...
me@foo:~$



AddKeysToAgent (not working):

me@foo:~$ ssh-add -L
The agent has no identities.
me@foo:~$ ssh -A -v -o AddKeysToAgent=yes [email protected]
...
debug1: Offering public key: /home/me/.ssh/id_ed25519-cert.pub
ED25519-CERT SHA256:x
debug1: Server accepts key: /home/me/.ssh/id_ed25519-cert.pub
ED25519-CERT SHA256:x
Enter passphrase for /home/me/.ssh/id_ed25519:
debug1: identity added to agent: /home/me/.ssh/id_ed25519
debug1: Authentication succeeded (publickey).
...
me@bar:~$ ssh-add -L
ssh-ed25519 x me@foo
me@bar:~$ ssh -A -v -o AddKeysToAgent=yes [email protected]
...
debug1: Will attempt key: me@foo ED25519 SHA256:x agent
....
debug1: Offering public key: me@foo ED25519 SHA256:x agent
...
(authentication fails, or a local key is picked)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

Reply via email to