similar to: [PATCH] ssh-add: support parser-friendly operation

From: Corey Hickey <chickey at tagged.com> When ssh-add is used in a script like: if ! KEY_LISTING=$(ssh-add -l 2>&1) ; then echo "SSH agent error" >&2 exit 2 fi ...the operation fails when there is an agent but there are no keys in the agent. This is because ssh-add exits with status of 1. If the intent is to examine the keys in the agent,

What about simply modifying your script? For example, instead of simply doing "ssh-add -l," you could use "ssh-add -l | grep SHA256." This would eliminate any non-key output to stdout, but admiteedly assumes that the fingerprint algorithm does not change. -- Iain On 1/9/25, 7:09?PM, "openssh-unix-dev" <openssh-unix-dev-bounces+iain.morgan=nasa.gov at

useRs- I'm attempting to scan a more than 1Gb text file and read and store the values that follow a specific key-phrase that is repeated multiple time throughout the file. A snippet of the text file I'm trying to read is attached. The text file is a dumping ground for various aspects of the performance of the model that generates it. Thus, the location of information I'm wanting

Add support to load additional certificates for already loaded private keys. Useful if the private key is on a PKCS#11 hardware token. The private keys inside ssh-agent are now using a refcount to share the private parts between "Identities". The reason for this change was that the PKCS#11 code might have redirected ("wrap") the RSA functions to a hardware token. We don't

On Fri, 10 Jan 2025, Corey Hickey wrote: > On 2025-01-10 01:35, Jochen Bern wrote: > > On 10.01.25 00:33, Corey Hickey wrote: > > > I took the approach of preserving current behavior by default, but > > > another approach would be to: > > > * print "The agent has no identities." to stderr instead of stdout > > > * exit with a status of 0

Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online.

Allow users to specify certificates to be used for authentication on the command line with the '-z' argument when running ssh. For successful authentication, the key pair associated with the certificate must also be presented during the ssh. Certificates may also be specified in ssh_config as a CertificateFile. This option is meant the address the issue mentioned in the following

On 10.01.25 00:33, Corey Hickey wrote: > I took the approach of preserving current behavior by default, but > another approach would be to: > * print "The agent has no identities." to stderr instead of stdout > * exit with a status of 0 instead of 1 Please don't. If you want to ever get people to load their privkeys into the agent *with a limited lifetime*, having a

Engine keys are keys whose file format is understood by a specific engine rather than by openssl itself. Since these keys are file based, the pkcs11 interface isn't appropriate for them because they don't actually represent tokens. The current most useful engine for openssh keys are the TPM engines, which allow all private keys to be stored in a form only the TPM hardware can decode,

Dear openssh developers In a shell script I need to verify if a key belonging to a given public key file is already loaded into the agent. To achieve this, I added a new option -v to ssh-add which does this verification. The patch bases on openssh v5.8p1. The regression test agent.sh was extended to test this new feature. Is there any chance for inclusion of attached patch? Cheers Konrad --

On Fri, Feb 23, 2018 at 05:01:00PM +1100, Darren Tucker wrote: > You could try this patch which defers resetting the "tried" flag on the > pubkeys until the list of authentication methods changes. I don't have > a server with this behaviour so I'm not sure if it helps (and I'm not > sure it's the right thing to do anyway). I think this is a better way to

On 2025-01-09 15:27, Corey Hickey wrote: > From: Corey Hickey <chickey at tagged.com> > > When ssh-add is used in a script like: > > if ! KEY_LISTING=$(ssh-add -l 2>&1) ; then > echo "SSH agent error" >&2 > exit 2 > fi > > ...the operation fails when there is an agent but there are no keys in > the agent.

On 2025-01-10 01:35, Jochen Bern wrote: > On 10.01.25 00:33, Corey Hickey wrote: >> I took the approach of preserving current behavior by default, but >> another approach would be to: >> * print "The agent has no identities." to stderr instead of stdout >> * exit with a status of 0 instead of 1 > > Please don't. If you want to ever get people to load

Hi, I have not found any way to use a Certificate with ssh-agent when my Key is stored on a pkcs11 device. I can add my key with ssh-add -s /usr/local/lib/opensc-pkcs11.so but ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub does not add the certificate to my agent. As far as I undestand, in ssh-add.c line 580 if (pkcs11provider != NULL) { if (update_card(agent_fd,

https://bugzilla.mindrot.org/show_bug.cgi?id=2234 Bug ID: 2234 Summary: ssh-add -l output aborts on unrecognized key, skips flush when stdout not tty Product: Portable OpenSSH Version: 6.6p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component:

On Fri, Apr 22, 2016 at 3:41 AM, Damien Miller <djm at mindrot.org> wrote: > On Tue, 19 Apr 2016, Elouan Keryell-Even wrote: > >> Hello, >> >> I have a client machine and a server machine. I generated a pair of >> private-public rsa keys using ssh-keygen. >> >> On the client-machine, I uploaded my private key onto ~/.ssh/id_rsa >> >> On

Engine keys are private key files which are only understood by openssl external engines. ?The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). ?Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private

Hello All. As promised, here is what I needed to do to get the regression tests to work on AIX & HPUX. It goes into a bit of detail in the hope that others might be able to get them running on their platforms. I've run these mods on AIX 4.3.3, HP-UX 11.00, Solaris 8, Redhat 7.3 and OpenBSD 3.0. The problems I encountered: * prereqs (pmake, md5sum) * bad directory owner/mode causing auth

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

Hello, With the introduction of SSH_ASKPASS_REQUIRE in version 8.4, I've set up a script for SSH_ASKPASS to query my local passwordstore (https://www.passwordstore.org/) vault to retrieve the password for a given key. This works for ssh-add as well as ssh (configured with AddKeysToAgent set to 'yes'). My workflow effectively transforms into entering the password for the GPG key used