bugzilla-daemon at bugzilla.mindrot.org
2011-Jun-10 11:37 UTC
[Bug 1914] New: ssh-add: add an option to cryptographically verify if agent can access the matching private key of a given public key
https://bugzilla.mindrot.org/show_bug.cgi?id=1914
Summary: ssh-add: add an option to cryptographically verify if
agent can access the matching private key of a given
public key
Product: Portable OpenSSH
Version: 5.8p2
Platform: All
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: ssh-add
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: kb at open.ch
Created attachment 2055
--> https://bugzilla.mindrot.org/attachment.cgi?id=2055
Patch
I need to cryptographically verify if a given key is load into the
agent.
The patch adds the option "-v pubkey" which allows ssh-add to do the
same public key authentication procedure as done by sshd. This means it
sends a challenge to the agent which must return a valid signature. It
does not just "believe" the agent as checking the output of
"ssh-add
-L" would do.
Use case:
For remote access, the user log in from home. First a one-time-password
is used to authenticate the user via PAM. Then we want to check if the
user has his key loaded into the ssh-agent. Currently we do this by a
ForcedCommand which opens another ssh session, where the key is used
for authentication. We would like to do that test directly in the
ForcedCommand script.
The patch is based on 5.8p2 and implements that feature for ssh1 and
ssh2, contains regression tests and updates the man page.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jun-10 11:37 UTC
[Bug 1914] ssh-add: add an option to cryptographically verify if agent can access the matching private key of a given public key
https://bugzilla.mindrot.org/show_bug.cgi?id=1914
Konrad Bucheli <kb at open.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kb at open.ch
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jun-10 13:45 UTC
[Bug 1914] ssh-add: add an option to cryptographically verify if agent can access the matching private key of a given public key
https://bugzilla.mindrot.org/show_bug.cgi?id=1914 --- Comment #1 from Damien Miller <djm at mindrot.org> 2011-06-10 23:45:38 EST --- Created attachment 2056 --> https://bugzilla.mindrot.org/attachment.cgi?id=2056 Test key in agent Markus Friedl had a similar patch (attached). -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jun-14 08:55 UTC
[Bug 1914] ssh-add: add an option to cryptographically verify if agent can access the matching private key of a given public key
https://bugzilla.mindrot.org/show_bug.cgi?id=1914
Konrad Bucheli <kb at open.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2055|0 |1
is obsolete| |
--- Comment #2 from Konrad Bucheli <kb at open.ch> 2011-06-14 18:55:34 EST
---
Created attachment 2058
--> https://bugzilla.mindrot.org/attachment.cgi?id=2058
Patch 2
I first posted a first version patch to the openssh-unix-dev mailing
list (04/07/11 09:12) before realizing that Bugzilla would be the
better place for it.
Markus Friedl then answered with the patch Damian Miller attached.
I used that patch as inspiration to simplify mine. I just gave another
look and there was still room for improvement, so I have now another
patch.
The main difference between them is that mine supports also ssh1.
Then we disagree if the option -v (verify) or -T (test) should be used.
I would be happy with either of those two patches as I do not need ssh1
support. I just added it for the sake of completeness and in the hope
that it will ease the patch's acceptance...
Is there any support I can give for getting that feature upstream?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-Jun-02 04:36 UTC
[Bug 1914] ssh-add: add an option to cryptographically verify if agent can access the matching private key of a given public key
https://bugzilla.mindrot.org/show_bug.cgi?id=1914
Konrad Bucheli <kb at open.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2058|0 |1
is obsolete| |
--- Comment #3 from Konrad Bucheli <kb at open.ch> 2012-06-02 14:36:32 EST
---
Created attachment 2162
--> https://bugzilla.mindrot.org/attachment.cgi?id=2162
updated patch for OpenSSH 6.0p1
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.