| Summary: | ssh-add: add an option to cryptographically verify if agent can access the matching private key of a given public key | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Konrad Bucheli <kb> | ||||||||||
| Component: | ssh-add | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||||||
| Status: | CLOSED FIXED | ||||||||||||
| Severity: | enhancement | CC: | kb | ||||||||||
| Priority: | P2 | ||||||||||||
| Version: | 5.8p2 | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | Linux | ||||||||||||
| Attachments: |
|
||||||||||||
Created attachment 2056 [details]
Test key in agent
Markus Friedl had a similar patch (attached).
Created attachment 2058 [details]
Patch 2
I first posted a first version patch to the openssh-unix-dev mailing list (04/07/11 09:12) before realizing that Bugzilla would be the better place for it.
Markus Friedl then answered with the patch Damian Miller attached.
I used that patch as inspiration to simplify mine. I just gave another look and there was still room for improvement, so I have now another patch.
The main difference between them is that mine supports also ssh1.
Then we disagree if the option -v (verify) or -T (test) should be used.
I would be happy with either of those two patches as I do not need ssh1 support. I just added it for the sake of completeness and in the hope that it will ease the patch's acceptance...
Is there any support I can give for getting that feature upstream?
Created attachment 2162 [details]
updated patch for OpenSSH 6.0p1
a similar feature was released in OpenSSH 8.0 closing resolved bugs as of 8.6p1 release |
Created attachment 2055 [details] Patch I need to cryptographically verify if a given key is load into the agent. The patch adds the option "-v pubkey" which allows ssh-add to do the same public key authentication procedure as done by sshd. This means it sends a challenge to the agent which must return a valid signature. It does not just "believe" the agent as checking the output of "ssh-add -L" would do. Use case: For remote access, the user log in from home. First a one-time-password is used to authenticate the user via PAM. Then we want to check if the user has his key loaded into the ssh-agent. Currently we do this by a ForcedCommand which opens another ssh session, where the key is used for authentication. We would like to do that test directly in the ForcedCommand script. The patch is based on 5.8p2 and implements that feature for ssh1 and ssh2, contains regression tests and updates the man page.