Mailing List Archive

ssh-agent and certificates
Hi there!

I'm new to this list, and i hope, it's the right place for my
feature-wish...

I installed an user and host-ca for my openssh, signed all my pubkeys
for all hosts and users and so own, did all, what's to do for
certificate-based authentication with openssh.

Great feature! Thank you for that.

But then i told it my boss, that it could be a good, a very good thing
for our company, because we have really high secure data on our servers...

He asked me, if certificate-based authentication works with ssh-agent
and jumphosts... so i could not find anything till now in the internet.
I fiddled around with my testingservers, but i could not get it work,
authenticating on a server via a jumphost and ssh-agent forwarding to
another server.

Is this already posible? And how do I have to do this? What's the right
configuration? Can I user ProxyCommand with certificates?


thank you

Jakob

--
lore ipsum

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh-agent and certificates [ In reply to ]
On Wed, Aug 28, 2019 at 1:22 PM Jakob Sch├╝rz <wertstoffe@schuerz.at> wrote:

> Is this already posible? And how do I have to do this? What's the right
> configuration? Can I user ProxyCommand with certificates?

Hi,

yes, certificates work with proxycommand. from the perspective of the
client and ssh-agent, certificates are (mostly) just like regular
ssh-keys.

you may be getting hung up on the server side configuration. Check
sshd_config(5) manpage for TrustedUserCAKeys and the ssh-keygen(1)
manpage for CERTIFICATES.

this 8 year old blog post is a good basic resource for information on
ssh certificates as well:
https://blog.habets.se/2011/07/OpenSSH-certificates.html

>
>
> thank you
>
> Jakob
>
> --
> lore ipsum
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev