https://bugzilla.mindrot.org/show_bug.cgi?id=2472
--- Comment #7 from Thomas Jarosch <thomas.jaro...@intra2net.com> --- Hi Damien, cooking this patchset a little further: (In reply to Damien Miller from comment #5) > Looking at the patch, I like the idea but I don't think we need to > modify ssh-agent to accommodate it. > > Couldn't ssh-add just graft the extra certificates to the private > key and send them? This is similar to how it send implicit > *-cert.pub certificates now. it's been a while, but I remember vaguely that if you remove a certificate again with the current upstream code, it will call sshkey_free(id->key) and this will kill the PKCS#11 provider, too. -> refcounting is needed, especially if multiple certs reference the same PKCS#11 token / private key. I could split the refcounting and the "key shadowing" into two distinct code changes if there's a chance of upstreaming the concept in general. Not sure if it's worth the effort since it almost touches the same code places. > It might be a little more hassle for the user, since they will need > to have their private keys available at the same time as their > certificates, but IMO users shouldn't be able to add keys to an > agent *without* presenting their private section. if you want to go this route, there are still two unsolved riddles here: - How would one specify the filename for the public certs when using PKCS#11? - Also: How would it pick up multiple certs for the same private key? Also agent-forwarding probably won't work, you would need to copy the certificates files to the machine you want to hop to the next machine. Cheers, Thomas -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
