bugzilla-daemon at mindrot.org
2015-Apr-13 08:14 UTC
[Bug 2377] New: Add ssh-agent support to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=2377 Bug ID: 2377 Summary: Add ssh-agent support to ssh-keygen Product: Portable OpenSSH Version: 6.9p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: boleslaw.tokarski at gmail.com The only way for ssh-keygen to generate a certificate is currently to access the private key representing the CA from a file, or open the pkcs11 smartcard on its own. This makes it cumbersome to automate, as either the key is unencrypted, and/or card is PINless, as otherwise every signing attempt forces a manual password/PIN prompt. If ssh-keygen was able to access ssh-agent, it would be up to ssh-agent to hold the unencrypted private key, or to keep the pkcs11 smartcard open after having requested the PIN once. It could also be up to ssh-agent feature of gpg-agent to use a GnuPG card natively. Use case: http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-April/033813.html -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Apr-16 00:01 UTC
[Bug 2377] Add ssh-agent support to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=2377 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Version|6.9p1 |6.8p1 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Aug-28 02:28 UTC
[Bug 2377] Add ssh-agent support to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=2377 David Gervais <dgervais at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dgervais at gmail.com -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Aug-28 19:54 UTC
[Bug 2377] Add ssh-agent support to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=2377 Meghana Bhat <mgbhat28 at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mgbhat28 at gmail.com -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Aug-28 20:42 UTC
[Bug 2377] Add ssh-agent support to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=2377 --- Comment #1 from Meghana Bhat <mgbhat28 at gmail.com> --- Created attachment 2690 --> https://bugzilla.mindrot.org/attachment.cgi?id=2690&action=edit add support for ssh agent to sign certificates -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-04 01:54 UTC
[Bug 2377] Add ssh-agent support to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=2377 --- Comment #2 from David Gervais <dgervais at gmail.com> --- Created attachment 2692 --> https://bugzilla.mindrot.org/attachment.cgi?id=2692&action=edit ssh-keygen testcase using ssh-agent for key signing I've attached a simple test case showing the efficacy of the provided patch from mebhat. In the attached example, ssh-keygen will not prompt the user for credentials when specifying a signing key that is found in the ssh-agent. The user may provide either the private key file or public key file on the command line. If the public half of the CA is NOT found in the ssh-agent, the user will be prompted to enter credentials. A more detailed test could be provided, but the intent is to demonstrate that the provided patch works as intended. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Oct-31 19:33 UTC
[Bug 2377] Add ssh-agent support to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=2377 Riccardo Coccioli <rcoccioli at wikimedia.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|6.8p1 |7.3p1 CC| |rcoccioli at wikimedia.org --- Comment #3 from Riccardo Coccioli <rcoccioli at wikimedia.org> --- We, at the Wikimedia Foundation, are facing a scenario very similar to the one described in the linked mailing list thread, in which we'd like to use an already armored private SSH CA key to sign temporary keys. With very few minor changes I was able to apply the proposed patch to the Debian Stretch openssh source package (version 7.3p1-1) [1] and so far it is working as expected during my tests. I'd like to know what is the maintainer's position on this feature in general and this patch specifically. I'm also available if there is anything I can do to help with it. [1] https://packages.debian.org/source/stretch/openssh -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Nov-07 10:53 UTC
[Bug 2377] Add ssh-agent support to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=2377 Riccardo Coccioli <rcoccioli at wikimedia.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2690|0 |1 is obsolete| | --- Comment #4 from Riccardo Coccioli <rcoccioli at wikimedia.org> --- Created attachment 2887 --> https://bugzilla.mindrot.org/attachment.cgi?id=2887&action=edit ssh-keygen: Add ssh-agent support for key signing (adapted to master branch) Original patch (2690) developed against version 7.1p by Meghana Bhat <mebhat at akamai.com>. Attached patch is adapted to master branch at 010359b (post 7.3p1, on 2016-11-07) by Riccardo Coccioli <rcoccioli at wikimedia.org>. The same patch was also sent as a pull request on GitHub: https://github.com/openssh/openssh-portable/pull/54 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jan-04 23:45 UTC
[Bug 2377] Add ssh-agent support to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=2377 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Blocks| |2647 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2647 [Bug 2647] Tracking bug for OpenSSH 7.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-May-25 02:29 UTC
[Bug 2377] Add ssh-agent support to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=2377 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2692|0 |1 is obsolete| | Attachment #2887|0 |1 is obsolete| | Status|NEW |ASSIGNED Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org --- Comment #5 from Damien Miller <djm at mindrot.org> --- Created attachment 2983 --> https://bugzilla.mindrot.org/attachment.cgi?id=2983&action=edit allow CA signature operation to use keys hosted in ssh-agent This is an IMO slightly simpler patch that reuses the existing APIs to talk to ssh-agent. To support this, it adds a new sshkey_certify_custom() that allows the caller to pass in a custom signature function, which we then use in ssh-keygen to call out to the agent. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-28 01:10 UTC
[Bug 2377] Add ssh-agent support to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=2377 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2647 |2698 Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #6 from Damien Miller <djm at mindrot.org> --- This has been committed and will be in OpenSSH 7.6 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2647 [Bug 2647] Tracking bug for OpenSSH 7.5 release https://bugzilla.mindrot.org/show_bug.cgi?id=2698 [Bug 2698] Tracking bug for OpenSSH 7.6 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:56 UTC
[Bug 2377] Add ssh-agent support to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=2377 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #7 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.