https://bugzilla.mindrot.org/show_bug.cgi?id=2436
--- Comment #2 from David Gervais <dgerv...@gmail.com> --- We plan to use multiple certificates where a centralize authentication and authorization service will provide limited-use ssh certificate endorsements on user's ssh keys to uniquely access servers in our network (currently consisting of ~200000+ servers). In this model (which plans to replace our existing ssh proxy model), users will need to juggle many certificates spanning each access attempt and even each command they would like to run remotely. Having the functionality to select a certificate within ssh itself will be amazingly helpful. We have an ssh-certificate-agent application that can be used to provide this functionality now by proxying the communication from ssh to the ssh-agent where the ssh-certificate-agent can load the public certificate and can delegate signing to the ssh-agent though this is not an optimal solution. A patch for the ssh-certificate-agent (also authored by mebhat) attached if interested. With respect to using a command line option of -z, what would the alternative be? The other potential solution I could envision would be to overload the use of -i and if the provided argument ends with -cert.pub, then we treat it as we do when parsing arguments from -z? I think I would prefer isolating the behavior to a separate option, though completely open to other alternatives. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
