[PATCH] ssh: update certificate support
gniibe at fsij.org
Tue Apr 20 04:24:46 CEST 2021
Igor Okulist wrote:
> Following up on gpg-agent certificate support:
> * updated the patches to single patch and rebased atop 2.3 release
> * updated per prior feedback
> * considering this as useful functionality as it allows for smoother workflow
> Looking forward to feedback and comments.
Sorry for my miscommunication. Finally, I realized that OpenSSH newer
versions behave differently. (It were good if you had addressed that
I tried to understand your shell script. The problem can be worked
around when we use -k option for ssh-add and -i option with certificate
for ssh. That recovers the old behaviour of ssh-add/ssh (of older
versions of OpenSSH); With the -k option, ssh-add does not send
certificates to ssh-agent. With -i option plus path to certificate, ssh
handles the certificate by itself (when asked by remote sshd) and only
asks ssh-agent for signing.
IIUC, the purpose of your patch is to make ssh-emulation of gpg-agent
behave just like original ssh-agent does. To support this feature (if
it's worth to support), we need to enhance the file format of the
private key. In the source code, gnupg/agent/keyformat.txt suggested
use of "OpenSSH-cert" field.
But, in my opinion, I'm not that positive to this approach.
I think that good points will be:
* ssh-agent emulation of gpg-agent will be more compatible.
* we will be able to remove the certificate file under .ssh.
And it would be also good if gpg frontend can support making SSH
certificate (the work ssh-keygen does) by signing SSH CA key.
I'm afraid that adding more feature (like handling certificate, public
part of data) to gpg-agent and adding more data to the private key file
are against the design philosophy... making gpg-agent as small as
possible, focusing on private key operations.
More information about the Gnupg-devel