https://bugzilla.mindrot.org/show_bug.cgi?id=2472
--- Comment #14 from Thomas Jarosch <thomas.jaro...@intra2net.com> --- Hi Damien, I've began working on this patch set again. It's ported to openssh 7.6p1 already. What I don't like about the implementation is that it creates an "empty" private key via sshkey_add_private() in ssh-add to reuse the existing sshkey_private_serialize() infrastructure. Later on ssh-agent uses the new sshkey_is_private() "hack" to determine if it's a just cert or full private key. A cleaner approach would be this: - Add SSH2_AGENTC_ADD_CERTIFICATE_CONSTRAINED on-the-wire id - Add sshkey_cert_serialize() and _deserialize() - Load certificate via "ssh-add some-cert-file.pub" if a matching private key is already available (either loaded or on a PKCS11 token). The clean extension to the ssh-agent protocol could be added to https://tools.ietf.org/html/draft-miller-ssh-agent-02 and also be re-used by gpg2's ssh-agent emulation in the near future. I've also checked the discussion on the resolved bug 2436 and it also had the goal to use multiple certificates. Having ssh-agent support for this would be the next step. [side note: The current PKCS11 code in ssh-add skips loading *any* certificate. This might be due to the refcounting issue as outlined in comment 7] What do you think? You mentioned earlier: > but IMO users shouldn't be able to add keys to an agent *without* > presenting their private section. Can you elaborate a little more on this? Do you see a security risk? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs