-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
capability to add a ssh-certificate to the SSH Agent #5486
Comments
You don't add the signed public key to ssh agent so it wouldn't be on us to handle it. The article states it is added to your .ssh folder. |
well, yes. That is basically true for every key by default. But you can add them to the keychain. [user@my_user .ssh]$ ssh-add -l
The agent has no identities.
[user@my_user .ssh]$ ssh-add id_rsa
Identity added: id_rsa (user@my_user.domain)
Certificate added: id_rsa-cert.pub (USER_ID)
[user@my_user .ssh]$ ssh-add -l
3072 SHA256:1+iCBmApvXxPbo1dE5NB01X58IuxaPu3KaDMCz+slpc user@my_user.domain (RSA)
3072 SHA256:1+iCBmApvXxPbo1dE5NB01X58IuxaPu3KaDMCz+slpc user@my_user.domain (RSA-CERT) |
@Underknowledge nice idea! But for difficult, granular, and distributed permissions you can also look at the Vault solution from Hashicorp - https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates. Where the main idea in short-time lived certificates (as a very difficult to deliver a revocation list to a lot of |
I second @Underknowledge 's request for supporting loading Also I think the comment saying
is besides the point. If I wanted my SSH key pairs to live in As a side note KeepassXC currently supports external files to be loaded into the ssh-agent but this also doesn't honor existing, matching So to recap, if I manually load a private key from disk using |
I'd like to see this feature as well! I am keen to try it for softlinked external ssh-key files. |
I'm currently implementing the support for key certificates in the SSH agent. As soon as I have something functional, I'll propose it to the maintainers. |
I've made good progress, adding and removing keys and their certificates works. I haven't tested with multiple types of key algorithms, just with ed25519. The code can still be improved, I tried to limit modification of the existing code to facilitate review. While debugging, I noticed that the keys were being parsed multiple times. If a 'QT' expert happens to come by, their help or advice would be welcome. Feel free to provide feedback !
|
Summary
I just stumbled over this nice article about signing public keys and creating SSH certificates.
I handed my ssh-key management completely over to KeePassXC, its just super convenient. but its not possible for KeePassXC to load
*-cert.pub
files into the ssh-agent. (workaround: save them out back to .ssh and place*-cert.pub
besides it)for now I only get
Invalid key file, expecting an OpenSSH key
Examples
Context
It relay makes sense to sing certificates. key management is pure pain, and it would be relay beneficial to keep ssh-keys in KeePassXC.
The text was updated successfully, but these errors were encountered: