Bug 3212

Summary: Ability to add ssh certificate to ssh agent to existing private key without rereading private key from filesystem
Product: Portable OpenSSH Reporter: George Shuklin <george.shuklin>
Component: ssh-addAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: enhancement CC: gl041188
Priority: P5    
Version: 8.2p1   
Hardware: amd64   
OS: Linux   

Description George Shuklin 2020-09-10 01:30:03 AEST 
Currently the single way to add a ssh certificate to the ssh agent is to re-add the private key with corresponding certificate file saved in the same directory (with -cert.pub suffix).

Some IT systems use short-lived dynamic ssh certificates. To automate allocations of certificates it would be really nice to have ability to add ssh certificate to an existing (in the ssh agent) private key, preferably from stdin.

If ssh private key is encrypted (which is advised configuration for private keys), adding a certificate together with a private key.
1) impossible to automate.
2) cause excessive typing of the password for users.

Proposition: add ability to add a certificate to the ssh agent without re-reading private key.

Proposed command line to ssh-add:

- C public_key cert_file     Add certificate to the agent based on public_key. '-' instead of cert_file indicating of use of stdin.