New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
agent-forwarding does not work with certificates #32
Comments
can confirm that GPT is wrong about this, and also I found this which suggests it could be either this program or my own malconfiguration: |
Is the issue here that |
i am not sure how i would tell. the certificate key private component is just a plain private key. the only thing different about a certificate as opposed to a regular pub key in ssh is that it has been signed by a CA instead of it's own private component. the way I can tell that the certificate is not forwarding is that when I ssh with a forwarded agent, and then check the agent with |
is there any info or resources i can provide to advance this issue? I'd like very much to be able to use this instead of pkcs11 for user certificates but I haven't been able to crack it. |
I need time to actually read up and understand the certificate implementation to figure out what the current code is missing. Atm its very fuzzy for what needs to be done. Currently busy hacking on some other code I have so not sure when I'll get to this. But its high on my list. |
it will take me a few hours to get to the bottom of it, but it looks like when you use this agent with an ssh pki, agent forwarding appears to cause the pubkey itself, not the certificate to get forwarded.
here is a scenario.
I have User machine A, and hosts B and C
user A has tpm user keys while B and C trust the CA which has signed A's tpm pubkey
from my user on machine A I will
ssh -Av B.local
i can confirm from the output that my certificate is approved and I login without a password. within this session I now
ssh -v C.local
this authorization fails. If I move the pubkey to machine C as an authorized_key, then the forwarded agent works.so it seems to me that ssh-tpm-agent needs to be modified to correctly forward the certificate, as this scheme works as intended when not using the tpm agent.
The text was updated successfully, but these errors were encountered: