https://bugzilla.mindrot.org/show_bug.cgi?id=3869
Damien Miller <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #1 from Damien Miller <[email protected]> --- Except for this spurious error: > Could not add identity "/home/brendan/.ssh/id_ed25519": success Everything you describe here is intended behaviour. ssh-agent does not monitor files for changes. It only receives keys when the user loads them via ssh-add. It *can't* monitor local files, as the keys being loaded may not even be on the same host as ssh-agent (consider agent forwarding). Sometimes there is no file to monitor, e.g. keys being loaded from standard input, from a PKCS#11 token or from a FIDO device. Likewise, loading a certificate *must* require the private key too. There are two reasons for this. The first reason is practical: ssh-agent is essentially a repository for private keys and, in ssh-agent's view, certificates are just another type of private key. The second reason has to do with security. If it is possible to load a certificate without the private key, then there is no proof that the user loading the certificate has *access* to the private key material that corresponds to that certificate. Relaxing this criteria would allow, for example, an attacker on a machine to which a user had forwarded their agent to load an unexpected certificate that could be used with a previously-loaded private key. Under some circumstances, this could be worse than the attacker having access to the agent at all. Sorry, we don't intend to change any of this. I will fix the spurious error message though. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
