Christian, Mark
2021-Jun-22 19:03 UTC
ssh-agent holds many certs. best way to ensure sshd sees them all besides increasing MaxAuthTries?
Wondering how I might be able to configure my ssh client or server so that any one of my ssh certificates may be used for authentication? Are there better ways to check for more than a couple certificates than by increasing sshd_config MaxAuthTries? I was thinking ssh - oCertificateFile could be used but I'm struggling to figure out how since my ssh-agent is the only place where the certs and private keys are located. Each certificate may have a different principal, policy or validity, hence the multiple certificates. The contents of my ssh-agent: 256 SHA256:Ft0/6CxRrwaPM/3bB0AQd/Vgw5mhT6ptq7Plj/cOYXI user at host (ED25519) 256 SHA256:Ft0/6CxRrwaPM/3bB0AQd/Vgw5mhT6ptq7Plj/cOYXI user at host (ED25519-CERT) 256 SHA256:Fn/259tp65oYC7LFz0RIpvl23S0GGqJbLvOYlj0Z26U user at host (ED25519) 256 SHA256:Fn/259tp65oYC7LFz0RIpvl23S0GGqJbLvOYlj0Z26U user at host (ED25519-CERT) 256 SHA256:thXXEAOnp8Xj+qtl+gDveYXjvy5MEkE9Vm5jos3qusM user at host (ED25519) 256 SHA256:thXXEAOnp8Xj+qtl+gDveYXjvy5MEkE9Vm5jos3qusM user at host (ED25519-CERT) 256 SHA256:e8Fag5D2xPFzYbqVBuctLxJ9mB2IkYO137kNo42WAs8 user at host (ED25519) 256 SHA256:e8Fag5D2xPFzYbqVBuctLxJ9mB2IkYO137kNo42WAs8 user at host (ED25519-CERT) 256 SHA256:uQQXF0hk67bGu3FVhnhxTxE+A1fGogiVt9rawTfQ+G4 user at host (ED25519) 256 SHA256:uQQXF0hk67bGu3FVhnhxTxE+A1fGogiVt9rawTfQ+G4 user at host (ED25519-CERT) Any ideas? Thank you, and thank you for your valuable work. Mark Christian
Michael Ströder
2021-Jun-22 19:40 UTC
ssh-agent holds many certs. best way to ensure sshd sees them all besides increasing MaxAuthTries?
On 6/22/21 9:03 PM, Christian, Mark wrote:> Wondering how I might be able to configure my ssh client or server so > that any one of my ssh certificates may be used for authentication? Are > there better ways to check for more than a couple certificates than by > increasing sshd_config MaxAuthTries?Maybe others correct me. But this problem is exactly the reason why my SSH-CA client uses ssh-add -D before loading a new cert to the key agent. If those are really different certs issued for different principal names you might want to work with multiple ssh-agent processes. Ciao, Michael.
Damien Miller
2021-Jun-23 00:57 UTC
ssh-agent holds many certs. best way to ensure sshd sees them all besides increasing MaxAuthTries?
On Tue, 22 Jun 2021, Christian, Mark wrote:> Wondering how I might be able to configure my ssh client or server so > that any one of my ssh certificates may be used for authentication? Are > there better ways to check for more than a couple certificates than by > increasing sshd_config MaxAuthTries? I was thinking ssh - > oCertificateFile could be used but I'm struggling to figure out how > since my ssh-agent is the only place where the certs and private keys > are located. > > Each certificate may have a different principal, policy or validity, > hence the multiple certificates.You should be able to use CertificateFile+IdentitiesOnly to control which agent-hosted certificates are offered. See sshconnect2.c:pubkey_prepare() for the gory details. -d