bugzilla-daemon at mindrot.org
2024-Apr-19 20:52 UTC
[Bug 3681] New: SSH Agent Certificate Not Recognized with 'IdentitiesOnly' Configured
https://bugzilla.mindrot.org/show_bug.cgi?id=3681
Bug ID: 3681
Summary: SSH Agent Certificate Not Recognized with
'IdentitiesOnly' Configured
Product: Portable OpenSSH
Version: 9.7p1
Hardware: All
OS: All
Status: NEW
Severity: trivial
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: contact at alexandre-petit.fr
Created attachment 3812
--> https://bugzilla.mindrot.org/attachment.cgi?id=3812&action=edit
git diff for fix exemple (sshconnect2.c)
The certificate present in the SSH agent is not added to the keys to be
tested when 'IdentitiesOnly yes' is configured in the ~/.ssh/config
file.
$ cat ~/.ssh/config
Host exemple.org
IdentityFile ~/.ssh/id_ed25519.pub
IdentitiesOnly Yes
$ ssh-add -l
256 SHA256:<FINGERPRINT> <COMMENT> (ED25519)
256 SHA256:<FINGERPRINT> <COMMENT> (ED25519-CERT)
$ ls ~/.ssh/config
config id_ed25519.pub
With the same configuration, 'ssh' defaults to looking for a
certificate in ~/.ssh/id_ed25519.pub-cert::
$ ssh -vvv user at exemple.org
debug1: identity file ~/.ssh/id_ed25519.pub type 3
debug1: identity file ~/.ssh/id_ed25519.pub-cert type -1
I believe the expected behavior should also include searching for the
certificate in the agent.
I have attempted a very simple and unpretentious fix. The .diff file is
attached.
The certificate is added from the agent with 'IdentitiesOnly Yes'. The
code is redundant, but it works.
Yet another inconsistency: 'ssh-keygen' generates certificates in the
form id_ed25519-cert.pub, whereas "ssh" searches for
id_ed25519.pub-cert.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Apr-19 23:30 UTC
[Bug 3681] SSH Agent Certificate Not Recognized with 'IdentitiesOnly' Configured
https://bugzilla.mindrot.org/show_bug.cgi?id=3681 --- Comment #1 from AlexpFR <contact at alexandre-petit.fr> --- Edit: Read ls ~/.ssh/ not ls ~/.ssh/config -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Jun-23 22:36 UTC
[Bug 3681] SSH Agent Certificate Not Recognized with 'IdentitiesOnly' Configured
https://bugzilla.mindrot.org/show_bug.cgi?id=3681 --- Comment #2 from AlexpFR <contact at alexandre-petit.fr> --- Link to the GitHub Pull request: https://github.com/openssh/openssh-portable/pull/494 -- You are receiving this mail because: You are watching the assignee of the bug.
Apparently Analagous Threads
- [Bug 3080] New: Document IdentityFile=none and clarify interaction of defaults with IdentitiesOnly
- [Bug 2095] New: ssh client not respecting IdentitiesOnly=yes option
- IdentityFile vs IdentitiesOnly
- IdentityFile vs IdentitiesOnly
- Forward only specific identities