bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-13 18:12 UTC
[Bug 3111] New: Option AddKeysToAgent does not load certificates into ssh-agent
https://bugzilla.mindrot.org/show_bug.cgi?id=3111 Bug ID: 3111 Summary: Option AddKeysToAgent does not load certificates into ssh-agent Product: Portable OpenSSH Version: 8.1p1 Hardware: All OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh-agent Assignee: unassigned-bugs at mindrot.org Reporter: japlin at gmail.com Using the option AddKeysToAgent loads key data, but not certificate data, into ssh-agent when a certificate is used to authenticate a session. Such a certificate thus cannot be used with agent forwarding unless manually loaded via ssh-add. Manual loading works as expected. Reproduction setup: foo and bar both accept keys signed by the same Certificate Authority. Each has a unique keypair signed by the same Certificate Authority. Manual (working): me at foo:~$ ssh-add ~/.ssh/id_ed25519 Enter passphrase for /home/me/.ssh/id_ed25519: Identity added: /home/me/.ssh/id_ed25519 (me at foo) Certificate added: /home/me/.ssh/id_ed25519-cert.pub (me at foo.local) me at foo:~$ ssh-add -L ssh-ed25519 x me at foo ssh-ed25519-cert-v01 at openssh.com x me at foo.local me at foo:~$ ssh -A -v -o AddKeysToAgent=no me at bar.local ... debug1: Offering public key: /home/me/.ssh/id_ed25519 ED25519-CERT SHA256:x agent debug1: Server accepts key: /home/me/.ssh/id_ed25519 ED25519-CERT SHA256:x agent debug1: Authentication succeeded (publickey). ... me at bar:~$ ssh-add -L ssh-ed25519 x me at foo ssh-ed25519-cert-v01 at openssh.com x me at foo.local me at bar:~$ ssh -A -v -o AddKeysToAgent=no me at foo.local ... debug1: Offering public key: me at foo ED25519-CERT SHA256:x agent debug1: Server accepts key: me at foo ED25519-CERT SHA256:x agent debug1: Authentication succeeded (publickey). ... me at foo:~$ AddKeysToAgent (not working): me at foo:~$ ssh-add -L The agent has no identities. me at foo:~$ ssh -A -v -o AddKeysToAgent=yes me at bar.local ... debug1: Offering public key: /home/me/.ssh/id_ed25519-cert.pub ED25519-CERT SHA256:x debug1: Server accepts key: /home/me/.ssh/id_ed25519-cert.pub ED25519-CERT SHA256:x Enter passphrase for /home/me/.ssh/id_ed25519: debug1: identity added to agent: /home/me/.ssh/id_ed25519 debug1: Authentication succeeded (publickey). ... me at bar:~$ ssh-add -L ssh-ed25519 x me at foo me at bar:~$ ssh -A -v -o AddKeysToAgent=yes me at foo.local ... debug1: Will attempt key: me at foo ED25519 SHA256:x agent .... debug1: Offering public key: me at foo ED25519 SHA256:x agent ... (authentication fails, or a local key is picked) -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Mar-10 14:56 UTC
[Bug 3111] Option AddKeysToAgent does not load certificates into ssh-agent
https://bugzilla.mindrot.org/show_bug.cgi?id=3111 Justin Aplin <japlin at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|minor |normal Priority|P5 |P4 Version|8.1p1 |8.2p1 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Oct-15 18:46 UTC
[Bug 3111] Option AddKeysToAgent does not load certificates into ssh-agent
https://bugzilla.mindrot.org/show_bug.cgi?id=3111 Finlay <finman292004 at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |finman292004 at gmail.com --- Comment #1 from Finlay <finman292004 at gmail.com> --- Created attachment 3617 --> https://bugzilla.mindrot.org/attachment.cgi?id=3617&action=edit Patch for the ssh agent certificate fix I have written a patch for this bug and a pull request has been created to merge it into master. The patch is attached -- You are receiving this mail because: You are watching the assignee of the bug.