Please take a look at line 1936 in main() function in sshd.c. /* Find matching private key */ for (j = 0; j < options.num_host_key_files; j++) { if (sshkey_equal_public(key, sensitive_data.host_keys[j])) { sensitive_data.host_certificates[j] = key; break; } } the sshkey_equal_public() is trying to compare a cert's pub with a private key, and it never find a match which makes sshd cannot use this certificate even though its private key is in ssh-agent. I believe it should be comparing a cert's public key with a public key in sensitive_data as follow. /* Find matching private key */ for (j = 0; j < options.num_host_key_files; j++) { if (sshkey_equal_public(key, sensitive_data.host_pubkeys[j])) { sensitive_data.host_certificates[j] = key; break; } } https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936
Created attachment 3526 [details] check certificate against host public keys
Thanks - this has been committed as 530739d4 and will be in the next OpenSSH release
closing bugs resolved before openssh-8.9