[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 Damien Miller changed: What|Removed |Added Status|RESOLVED|CLOSED --- Comment #7 from Damien Miller --- Close all resolved bugs after 7.3p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 Damien Miller changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #6 from Damien Miller --- patch applied - this will be in openssh-7.2. Thanks! -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 --- Comment #5 from David Gervais --- Reviewed the proposed changes and really like the new approach. Also confirmed that the proposed patch functions as expected. As for the -z option, I completely forgot that -oCertificateFile was an option. I, personally, would be fine dropping -z in favor of -oCertificateFile as to not pollute the getopt space as you've mentioned previously. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 --- Comment #4 from Damien Miller --- Created attachment 2700 --> https://bugzilla.mindrot.org/attachment.cgi?id=2700&action=edit revised patch Here's a tweaked version of the patch. Changes are: - add_certificate_file() never used its "dir" argument; remove it and save some code - merge load_certificate_files() into load_public_identity_files(); much of the code is shared (especially % expansion) - if any CertificateFiles have been specified, skip trying to load key-cert.pub by default. I figure that if users are specifying certificates themselves then they don't want implicit behaviour to confuse things. - log (at debug2 level) which private key is being used for the certificate and cases where no private key was found for a given certificate - Simplify the matching of certificates to private keys in sign_and_send_pubkey() and use it for all certificates (i.e. both CertificateFile and implicit *-cert.pub ones). - Tweak the wording of the manpage a little and mention the interaction with IdentitiesOnly. I've left the ssh -z option in there for now. The alternative to an explicit flag is making users use -oCertificateFile=... -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 --- Comment #3 from David Gervais --- Created attachment 2694 --> https://bugzilla.mindrot.org/attachment.cgi?id=2694&action=edit ssh-certificate-agent proof-of-concept code ssh-certificate-agent proof-of-concept code attached. The ssh certificate agent allows the user to ssh using specific input certificates. It communicates with the regular ssh agent to get the certificate signed. It does not support adding or removing of keys. As mentioned in my previous post, having this functionality in ssh directly would be incredibly helpful. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 --- Comment #2 from David Gervais --- We plan to use multiple certificates where a centralize authentication and authorization service will provide limited-use ssh certificate endorsements on user's ssh keys to uniquely access servers in our network (currently consisting of ~20+ servers). In this model (which plans to replace our existing ssh proxy model), users will need to juggle many certificates spanning each access attempt and even each command they would like to run remotely. Having the functionality to select a certificate within ssh itself will be amazingly helpful. We have an ssh-certificate-agent application that can be used to provide this functionality now by proxying the communication from ssh to the ssh-agent where the ssh-certificate-agent can load the public certificate and can delegate signing to the ssh-agent though this is not an optimal solution. A patch for the ssh-certificate-agent (also authored by mebhat) attached if interested. With respect to using a command line option of -z, what would the alternative be? The other potential solution I could envision would be to overload the use of -i and if the provided argument ends with -cert.pub, then we treat it as we do when parsing arguments from -z? I think I would prefer isolating the behavior to a separate option, though completely open to other alternatives. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 Damien Miller changed: What|Removed |Added Blocks||2451 Status|NEW |ASSIGNED --- Comment #1 from Damien Miller --- Thanks for writing this and especially for taking the time to write a regress test too. I'll take a look at this, but I'm not sure about using up one of our few remaining getopt() characters for this - multiple certificates are a fairly rare situation. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2451 [Bug 2451] Bugs intended to be fixed in 7.2 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 Damien Miller changed: What|Removed |Added CC||d...@mindrot.org Attachment #2679|0 |1 is patch|| Attachment #2679|application/octet-stream|text/plain mime type|| -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2436] Add ssh option to present certificates on command line
https://bugzilla.mindrot.org/show_bug.cgi?id=2436 David Gervais changed: What|Removed |Added CC||dgerv...@gmail.com -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs