openssh unix dev - Aug 2019 - ssh-agent and certificates

Hi there!

I'm new to this list, and i hope, it's the right place for my
feature-wish...

I installed an user and host-ca for my openssh, signed all my pubkeys
for all hosts and users and so own, did all, what's to do for
certificate-based authentication with openssh.

Great feature! Thank you for that.

But then i told it my boss, that it could be a good, a very good thing
for our company, because we have really high secure data on our servers...

He asked me, if certificate-based authentication works with ssh-agent
and jumphosts... so i could not find anything till now in the internet.
I fiddled around with my testingservers, but i could not get it work,
authenticating on a server via a jumphost and ssh-agent forwarding to
another server.

Is this already posible? And how do I have to do this? What's the right
configuration? Can I user ProxyCommand with certificates?


thank you

Jakob

-- 
lore ipsum

On Wed, Aug 28, 2019 at 1:22 PM Jakob Sch?rz <wertstoffe at schuerz.at>
wrote:
> Is this already posible? And how do I have to do this? What's the right
> configuration? Can I user ProxyCommand with certificates?
Hi,

yes, certificates work with proxycommand. from the perspective of the
client and ssh-agent, certificates are (mostly) just like regular
ssh-keys.

you may be getting hung up on the server side configuration. Check
sshd_config(5) manpage for TrustedUserCAKeys and the ssh-keygen(1)
manpage for CERTIFICATES.

this 8 year old blog post is a good basic resource for information on
ssh certificates as well:
https://blog.habets.se/2011/07/OpenSSH-certificates.html
>
>
> thank you
>
> Jakob
>
> --
> lore ipsum
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev