On 9/10/21 9:53 AM, Jochen Bern wrote:> A quick question (I hope): I built an SSH user CA that would allow users
> to SSH in (using their keypair) and thus trigger creation of a matching
> cert. What I would *like* to do is to (add agent forwarding to the login
> and) have the CA load the cert straight into the agent.
>
> What happens is that doing an ssh-add on the CA fails because it cannot
> find the *private* key in a local file, and even when I download the
> cert and do the ssh-add locally, I need to enter the passphrase into the
> terminal, presumably because it does read the privkey from its file as
> well - in spite of the fact that the privkey is already loaded in the
> agent all the time.
>
> Is this a principal limitation of the code/protocol/security model,
> something I can work around (though I don't yet see how), a feature
> request with a chance of getting implemented, ... ?
Yes,
this was discussed since 2015 in context of PKCS #11 backed keys in
hardware, but the protocol was not yet updated to support loading
separate certificates:
https://bugzilla.mindrot.org/show_bug.cgi?id=2472
Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.