search for: privatekeycommand

...ass, > or running into problems when trying to do agent-forwarding with > gpg-backed keys on non-Linux OSes. Even on Linux, I think such a > workflow can be a bit flaky at times. > > I wondered if there would be support for adding a new configuration > option called something like PrivateKeyCommand, analogous to existing > "*Command" configs like AuthorizedKeysCommand. In practice I imagine > it looks like this: > > Host gerrit.example.com > PrivateKeyCommand pass show ssh/gerrit_ed25519 > > I suppose another possibility for the name could be IdentityComm...

...o get the passphrase out of Pass, or running into problems when trying to do agent-forwarding with gpg-backed keys on non-Linux OSes. Even on Linux, I think such a workflow can be a bit flaky at times. I wondered if there would be support for adding a new configuration option called something like PrivateKeyCommand, analogous to existing "*Command" configs like AuthorizedKeysCommand. In practice I imagine it looks like this: Host gerrit.example.com PrivateKeyCommand pass show ssh/gerrit_ed25519 I suppose another possibility for the name could be IdentityCommand, analogous to IdentityFile....

Hey Damien, > Would you be able to do this using the ssh-agent protocol? It's > relatively easy to make custom agent implentations for special use > cases, e.g. using https://pkg.go.dev/golang.org/x/crypto/ssh/agent#Agent Hmm, okay, I just realized the protocol has a full specification at https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent. Would it be possible to get that

BTW not for your usecase with the decryption, but if people want to dynamically create/provision short lived keys, they could use ?match host * exec gen-key.sh %s? config to run a program before each connection. However it can?t stdout the key material, but what it could do is update a temporary Idendity file or push it short-lived with ssh-add to the running (standard) agent. openssh at tr.id.au

BTW not for your usecase with the decryption, but if people want to dynamically create/provision short lived keys, they could use ?match host * exec gen-key.sh %s? config to run a program before each connection. However it can?t stdout the key material, but what it could do is update a temporary Idendity file or push it short-lived with ssh-add to the running (standard) agent. openssh at tr.id.au

On Mon, Mar 11, 2024, at 6:05 PM, Bernd Eckenfels wrote: > BTW not for your usecase with the decryption, but if people want to > dynamically create/provision short lived > keys, they could use ?match host * exec gen-key.sh %s? config to run a > program before each connection. > However it can?t stdout the key material, but what it could do is > update a temporary Idendity file