User Details
- User Since
- Mar 27 2017, 4:48 PM (399 w, 2 d)
- Availability
- Available
May 24 2015
I removed the stub keys for the last two, that is why they are listed as "ssb#"
instead of "ssb>".
If the expected behavior is newest key is always preferred, than that's fine and
easy to work around with default-key, although it would be nice to exclude
unusable keys.
May 13 2015
Nov 17 2014
ssh-add only looks for private key information. If there is a id_rsa-cert.pub file it
will add the certificate, but one cannot add a certificate alone.
There are a couple of problems:
- gpg-agent doesn't recognize the cert type (ssh-rsa-cert-v01@openssh.com, etc.) so if
it is added via agent forwarding it fails.
- If the private key is on a card, then there is no private key file for ssh-add to
use. Some cards allow certificates to be stored on the card, and it looks from the
source to scdaemon that there is a way to read it and return it to the agent.
I could give this a try: in the case of #2, do you think it would be a reasonable
addition to gpg-agent's protocol to look for ~/.ssh/id_{rsa,dsa,ecdsa}-cert.pub when
handling a card-based private key? The cert is public info so only better portability
is gained by storing it on the card.