[PATCH] ssh: update certificate support

NIIBE Yutaka gniibe at fsij.org
Tue Apr 20 04:24:46 CEST 2021

Igor Okulist wrote:
> Following up on gpg-agent certificate support:
> * updated the patches to single patch and rebased atop 2.3 release
> * updated per prior feedback
> * considering this as useful functionality as it allows for smoother workflow
> Looking forward to feedback and comments.

Sorry for my miscommunication.  Finally, I realized that OpenSSH newer
versions behave differently.  (It were good if you had addressed that

I tried to understand your shell script.  The problem can be worked
around when we use -k option for ssh-add and -i option with certificate
for ssh.  That recovers the old behaviour of ssh-add/ssh (of older
versions of OpenSSH);  With the -k option, ssh-add does not send
certificates to ssh-agent.  With -i option plus path to certificate, ssh
handles the certificate by itself (when asked by remote sshd) and only
asks ssh-agent for signing.

IIUC, the purpose of your patch is to make ssh-emulation of gpg-agent
behave just like original ssh-agent does.  To support this feature (if
it's worth to support), we need to enhance the file format of the
private key.  In the source code, gnupg/agent/keyformat.txt suggested
use of "OpenSSH-cert" field.

But, in my opinion, I'm not that positive to this approach.

I think that good points will be:

  * ssh-agent emulation of gpg-agent will be more compatible.
  * we will be able to remove the certificate file under .ssh.

And it would be also good if gpg frontend can support making SSH
certificate (the work ssh-keygen does) by signing SSH CA key.

I'm afraid that adding more feature (like handling certificate, public
part of data) to gpg-agent and adding more data to the private key file
are against the design philosophy... making gpg-agent as small as
possible, focusing on private key operations.

More information about the Gnupg-devel mailing list