openssh bugs - Jul 2019 - [Bug 3028] New: Discrepancy with URL man pages.

https://bugzilla.mindrot.org/show_bug.cgi?id=3028

            Bug ID: 3028
           Summary: Discrepancy with URL man pages.
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: ix86
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: donald.p.richards1 at aexp.com

For the man pages under the URL, https://man.openbsd.org/ssh-keygen,
the option -U states:

-U    When used in combination with -s, this option indicates that a CA
key resides in a ssh-agent(1). See the CERTIFICATES section for more
information.

Under the CERTIFICATES section,
https://man.openbsd.org/ssh-keygen#CERTIFICATES, it states:

Similarly, it is possible for the CA key to be hosted in a
ssh-agent(1). This is indicated by the -U flag and, again, the CA key
must be identified by its public half.

$ ssh-keygen -Us ca_key.pub -I key_id user_key.pub

In all cases, key_id is a "key identifier" that is logged by the
server
when the certificate is used for authentication.

I have a use case in which having a Certificates Authority's private
key loaded in the ssh-agent would be very beneficial (i.e. not having
the private key unsecured), and then using it to sign ssh host
certificates using 

    "ssh-keygen -Us ca_key.pub -h -I key_id host_key.pub"

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3028

--- Comment #1 from donald.p.richards1 at aexp.com ---
I believe I found that ssh-keygen was updated to include -U at version
7.6/7.6p1.

* ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as
   a CA when signing certificates. bz#2377

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3028

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
If I'm reading this correctly, you've figured this out already and were
trying to use a feature added in a newer release of OpenSSH than the
one you had at hand. 

As such, I'll close this bug. If I've misread the situation then please
feel free to reopen.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3028

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.