Mailing List Archive

[PATCH 0/4] T1756 gpg-agent doesn't accept ssh certificates
This set of patches updates support for certificates and
addresses (at least part of) https://dev.gnupg.org/T1756.

With thes patches user shall be able to add RSA key and
certificate to the gpg-agent and get a passwordless sign
through signed certificates.

Looking forward to feedback and comments.


Signed-off-by: Igor Okulist <okigan@gmail.com>


Igor Okulist (4):
ssh: update certificate support
ssh: update certificate support
ssh: update certificate support
ssh: update certificate support

agent/agent.h | 3 +-
agent/command-ssh.c | 117 +++++++++++++++++++++++++++++++++++++++++---
agent/cvt-openpgp.c | 12 ++++-
agent/findkey.c | 46 ++++++++++++++---
4 files changed, 159 insertions(+), 19 deletions(-)

--
2.25.1


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: [PATCH 0/4] T1756 gpg-agent doesn't accept ssh certificates [ In reply to ]
Igor Okulist wrote:
> This set of patches updates support for certificates and
> addresses (at least part of) https://dev.gnupg.org/T1756.
>
> With thes patches user shall be able to add RSA key and
> certificate to the gpg-agent and get a passwordless sign
> through signed certificates.

AFAIU, ssh-agent (or gpg-agent's ssh-agent emulation) has no way to
_use_ certificates, when transferred from ssh-add.

Please use -k option for ssh-add. Then, no changes are required to
current implementation of gpg-agent.

Please let us know your use case(s), if it's real.
--

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: [PATCH 0/4] T1756 gpg-agent doesn't accept ssh certificates [ In reply to ]
On Thu, Mar 18, 2021 at 11:25 PM NIIBE Yutaka <gniibe@fsij.org> wrote:
>
> Igor Okulist wrote:
> > This set of patches updates support for certificates and
> > addresses (at least part of) https://dev.gnupg.org/T1756.
> >
> > With thes patches user shall be able to add RSA key and
> > certificate to the gpg-agent and get a passwordless sign
> > through signed certificates.
>
> AFAIU, ssh-agent (or gpg-agent's ssh-agent emulation) has no way to
> _use_ certificates, when transferred from ssh-add.
>
> Please use -k option for ssh-add. Then, no changes are required to
> current implementation of gpg-agent.
>
> Please let us know your use case(s), if it's real.
> --


Thanks for review NIIBE,

You are absolutely right, but current functionality of gpg-agent does not allow
certificate based login. Here is a workflow (and test script) showing usage of
ssh-agent and gpg-agent and unfortunately it would not work with
gpg-agent as is.

So looking for a way to use gpg-agent with ssh and actually other tools as well,
the attached patch allowed it to work, but I would be curious if there
is another way to do that.

Regards,
Igor

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: [PATCH 0/4] T1756 gpg-agent doesn't accept ssh certificates [ In reply to ]
The link to the workflow (and test script):
https://github.com/okigan/gnupg-workspace/blob/feature/tp-5487-on-2.2.24/issues/tp-5487/repro.sh#L76

On Fri, Mar 26, 2021 at 5:32 PM Igor Okulist <okigan@gmail.com> wrote:
>
> On Thu, Mar 18, 2021 at 11:25 PM NIIBE Yutaka <gniibe@fsij.org> wrote:
> >
> > Igor Okulist wrote:
> > > This set of patches updates support for certificates and
> > > addresses (at least part of) https://dev.gnupg.org/T1756.
> > >
> > > With thes patches user shall be able to add RSA key and
> > > certificate to the gpg-agent and get a passwordless sign
> > > through signed certificates.
> >
> > AFAIU, ssh-agent (or gpg-agent's ssh-agent emulation) has no way to
> > _use_ certificates, when transferred from ssh-add.
> >
> > Please use -k option for ssh-add. Then, no changes are required to
> > current implementation of gpg-agent.
> >
> > Please let us know your use case(s), if it's real.
> > --
>
>
> Thanks for review NIIBE,
>
> You are absolutely right, but current functionality of gpg-agent does not allow
> certificate based login. Here is a workflow (and test script) showing usage of
> ssh-agent and gpg-agent and unfortunately it would not work with
> gpg-agent as is.
>
> So looking for a way to use gpg-agent with ssh and actually other tools as well,
> the attached patch allowed it to work, but I would be curious if there
> is another way to do that.
>
> Regards,
> Igor

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel