YC
2019-Jan-29 14:35 UTC
ssh-agent could not add signed cert when private key stored in yubikey
Hi, I'm currently stuck with yubikey + signed user key + ssh-agent forwarding. As https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html noted, I have private key stored in yubikey, public key in ~/.ssh/id_rsa.pub and signed public key in ~/.ssh/id_rsa-cert.pub on PC (see bellow). It's not working with this agent forwarding access: PC----Server_A----Server_B. Placing private key saved in ~/id_rsa, it works fine! After a simple comparsion, I found that when private key store in yubikey hardware, ssh-add would not add signed public key (id_rsa-cert.pub) to ssh-agent, should this be the problem? Is there a way to add signed public key to ssh-agent? -- yc.
Jakub Jelen
2019-Jan-29 16:19 UTC
ssh-agent could not add signed cert when private key stored in yubikey
On Tue, 2019-01-29 at 22:35 +0800, YC wrote:> Hi, > > I'm currently stuck with yubikey + signed user key + ssh-agent > forwarding. > As > https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html > noted, I have private key stored in yubikey, public key in > ~/.ssh/id_rsa.pub and signed public key in ~/.ssh/id_rsa-cert.pub on > PC > (see bellow). > > It's not working with this agent forwarding access: > PC----Server_A----Server_B. Placing > private key saved in ~/id_rsa, it works fine! After a simple > comparsion, > I found that when > private key store in yubikey hardware, ssh-add would not add signed > public key (id_rsa-cert.pub) to ssh-agent, should this be the > problem? > Is there a way to add signed public key to ssh-agent?This is a known bug tracked here [1] including proposed patch. There is one possibility to copy the public key and certificate to your Server A or use the patch attached to the bug [1] (or wait and it will hopefully land in the next release). [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2472 Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
Damien Miller
2019-Jan-29 22:58 UTC
ssh-agent could not add signed cert when private key stored in yubikey
On Tue, 29 Jan 2019, YC wrote:> Hi, > > I'm currently stuck with yubikey + signed user key + ssh-agent forwarding. > As https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html noted, > I have private key stored in yubikey, public key in ~/.ssh/id_rsa.pub and > signed public key in ~/.ssh/id_rsa-cert.pub on PC (see bellow).There is currently no way to add certificates to an agent for PKCS#11 keys. That being said, you don't strictly need to. ssh is able to graft the certificates to private keys held in agents or tokens at runtime - you just need to specify the certificate(s) using the IdentityFile directive. Note that this won't work using agent forwarding, but it will work using ProxyJump. -d