openssh bugs - Apr 2015 - [Bug 2377] New: Add ssh-agent support to ssh-keygen

https://bugzilla.mindrot.org/show_bug.cgi?id=2377

            Bug ID: 2377
           Summary: Add ssh-agent support to ssh-keygen
           Product: Portable OpenSSH
           Version: 6.9p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: boleslaw.tokarski at gmail.com

The only way for ssh-keygen to generate a certificate is currently to
access the private key representing the CA from a file, or open the
pkcs11 smartcard on its own.

This makes it cumbersome to automate, as either the key is unencrypted,
and/or card is PINless, as otherwise every signing attempt forces a
manual password/PIN prompt.

If ssh-keygen was able to access ssh-agent, it would be up to ssh-agent
to hold the unencrypted private key, or to keep the pkcs11 smartcard
open after having requested the PIN once. It could also be up to
ssh-agent feature of gpg-agent to use a GnuPG card natively.

Use case:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-April/033813.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2377

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
            Version|6.9p1                       |6.8p1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2377

David Gervais <dgervais at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dgervais at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2377

Meghana Bhat <mgbhat28 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mgbhat28 at gmail.com

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2377

--- Comment #1 from Meghana Bhat <mgbhat28 at gmail.com> ---
Created attachment 2690
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2690&action=edit
add support for ssh agent to sign certificates

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2377

--- Comment #2 from David Gervais <dgervais at gmail.com> ---
Created attachment 2692
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2692&action=edit
ssh-keygen testcase using ssh-agent for key signing

I've attached a simple test case showing the efficacy of the provided
patch from mebhat. In the attached example, ssh-keygen will not prompt
the user for credentials when specifying a signing key that is found in
the ssh-agent. The user may provide either the private key file or
public key file on the command line. If the public half of the CA is
NOT found in the ssh-agent, the user will be prompted to enter
credentials.

A more detailed test could be provided, but the intent is to
demonstrate that the provided patch works as intended.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2377

Riccardo Coccioli <rcoccioli at wikimedia.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|6.8p1                       |7.3p1
                 CC|                            |rcoccioli at wikimedia.org

--- Comment #3 from Riccardo Coccioli <rcoccioli at wikimedia.org> ---
We, at the Wikimedia Foundation, are facing a scenario very similar to
the one described in the linked mailing list thread, in which we'd like
to use an already armored private SSH CA key to sign temporary keys.

With very few minor changes I was able to apply the proposed patch to
the Debian Stretch openssh source package (version 7.3p1-1) [1] and so
far it is working as expected during my tests.

I'd like to know what is the maintainer's position on this feature in
general and this patch specifically.
I'm also available if there is anything I can do to help with it.

[1] https://packages.debian.org/source/stretch/openssh

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2377

Riccardo Coccioli <rcoccioli at wikimedia.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2690|0                           |1
        is obsolete|                            |

--- Comment #4 from Riccardo Coccioli <rcoccioli at wikimedia.org> ---
Created attachment 2887
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2887&action=edit
ssh-keygen: Add ssh-agent support for key signing (adapted to master
branch)

Original patch (2690) developed against version 7.1p by Meghana Bhat
<mebhat at akamai.com>.
Attached patch is adapted to master branch at 010359b (post 7.3p1, on
2016-11-07) by Riccardo Coccioli <rcoccioli at wikimedia.org>.

The same patch was also sent as a pull request on GitHub:
https://github.com/openssh/openssh-portable/pull/54

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2377

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |2647


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2377

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2692|0                           |1
        is obsolete|                            |
   Attachment #2887|0                           |1
        is obsolete|                            |
             Status|NEW                         |ASSIGNED
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Created attachment 2983
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2983&action=edit
allow CA signature operation to use keys hosted in ssh-agent

This is an IMO slightly simpler patch that reuses the existing APIs to
talk to ssh-agent. To support this, it adds a new
sshkey_certify_custom() that allows the caller to pass in a custom
signature function, which we then use in ssh-keygen to call out to the
agent.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2377

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|2647                        |2698
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
This has been committed and will be in OpenSSH 7.6


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
https://bugzilla.mindrot.org/show_bug.cgi?id=2698
[Bug 2698] Tracking bug for OpenSSH 7.6 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2377

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.