gpg-agent doesn't implement PROTOCOL.certkeys, latest version at
(http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.9&content-type=text/plain)
and added in OpenSSH 5.4.
After getting the public key signed, ssh-add will report SSH_AGENT_FAILURE when
handling the certificate. Makes it impossible to use OpenPGP keys for SSH
authentication on hosts that use signed keys.
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Duplicate | None | T3574 gpg-agent doesn't pick up ssh certificates | ||
| Open | None | T1756 gpg-agent doesn't accept ssh certificates |
Isn't it possisble to convert it to standard ssh format and use that with ssh-add?
I am currently lacking the time to add this to gpg-agent.
ssh-add only looks for private key information. If there is a id_rsa-cert.pub file it
will add the certificate, but one cannot add a certificate alone.
There are a couple of problems:
it is added via agent forwarding it fails.
use. Some cards allow certificates to be stored on the card, and it looks from the
source to scdaemon that there is a way to read it and return it to the agent.
I could give this a try: in the case of #2, do you think it would be a reasonable
addition to gpg-agent's protocol to look for ~/.ssh/id_{rsa,dsa,ecdsa}-cert.pub when
handling a card-based private key? The cert is public info so only better portability
is gained by storing it on the card.
re 1) ssh-rsa-cert-v01@openssh.com is the certifiate as used by sshd/ssh. The
agent protocols however uses an ssh-rsa-cert-v00@openssh.com format to send the
private key to the agent. We should be easy to support this if it is sufficient
to just get the private key from the ssh-rsa-cert-v00.
re 2) I need to look close on how this is handled by the ssh-agent protocol.
gpg-agent should not look for an ssh file directly because its API is based on
the ssh-agent protocol. Thus a modified ssh is required. I noticed an
ssh-agent object related to card - this needs futher investigations.
FYI.
https://lists.gnupg.org/pipermail/gnupg-devel/2016-August/031479.html
^-- In this experiment, I tried another half of supporting OpenSSH certificates.
I found that it doesn't work as I had thought.
I think that the lower level support of gpg-agent is ready to add this feature
of accepting OpenSSH certificates, but modification of OpenSSH will be required
too, so that it works well.
Currently, the OpenSSH certificate file itself is still needed even if ssh-agent
supports OpenSSH certificates. When it returns a certificate to ssh client, ssh
client only uses the information of the key in the certificate. It is the file
which ssh client uses communicating to the server.
I am wondering if there is any workaround or work in progress about this old ticket.
I understand this is kind of an edge case, but having the possibility to use signed ssh keys would be very useful to me.
??? Do you understand how ssh keys are handled by ssh client and ssh-agent?
SSH certificate (signed key) works well with ssh-agent (and ssh-agent emulation of gpg-agent).
The discussion of this ticket is: SSH certificate itself is not under control of ssh-agent (yet), and it would be good if it could be so.
I'm sorry, if my wording sounded harsh.
FWIW, I'm describing current situation adding more info.
In other words, please use '-k' option of ssh-add, if ssh client still fails (because of the size) consider about changing certificate authentication protocol so that signing data size will be fixed size.
Update:
It looks like OpenSSH version 8 now supports ssh-agent's handling REQUEST_IDENTITIES.
Even so, we can use -k option of ssh-add and -i option of ssh.
It's not clear if adding the feature to gpg-agent is worth.
See: https://lists.gnupg.org/pipermail/gnupg-devel/2021-April/034845.html