Loading OpenSSH certificate into ssh-agent without the private key

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I'm storing my ssh keys on a yubikey and hence I don't have any private key file on disk. This gives me a problem when I'm also using OpenSSH Certificates to authenticate. If I would like to bring the certificate with me using the ssh-agent I need to add it to the agent some how.



This is done automatically if I have a private key called priv and a cert called priv-cert.pub. But since I don't have a file I cant find a way to add the certificate file to the agent.



Does anyone have a clue how to do this?



It seems there is no support for this, I found this feature request: https://bugzilla.mindrot.org/show_bug.cgi?id=2472







share|improve this question


























    up vote
    1
    down vote

    favorite












    I'm storing my ssh keys on a yubikey and hence I don't have any private key file on disk. This gives me a problem when I'm also using OpenSSH Certificates to authenticate. If I would like to bring the certificate with me using the ssh-agent I need to add it to the agent some how.



    This is done automatically if I have a private key called priv and a cert called priv-cert.pub. But since I don't have a file I cant find a way to add the certificate file to the agent.



    Does anyone have a clue how to do this?



    It seems there is no support for this, I found this feature request: https://bugzilla.mindrot.org/show_bug.cgi?id=2472







    share|improve this question
























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I'm storing my ssh keys on a yubikey and hence I don't have any private key file on disk. This gives me a problem when I'm also using OpenSSH Certificates to authenticate. If I would like to bring the certificate with me using the ssh-agent I need to add it to the agent some how.



      This is done automatically if I have a private key called priv and a cert called priv-cert.pub. But since I don't have a file I cant find a way to add the certificate file to the agent.



      Does anyone have a clue how to do this?



      It seems there is no support for this, I found this feature request: https://bugzilla.mindrot.org/show_bug.cgi?id=2472







      share|improve this question














      I'm storing my ssh keys on a yubikey and hence I don't have any private key file on disk. This gives me a problem when I'm also using OpenSSH Certificates to authenticate. If I would like to bring the certificate with me using the ssh-agent I need to add it to the agent some how.



      This is done automatically if I have a private key called priv and a cert called priv-cert.pub. But since I don't have a file I cant find a way to add the certificate file to the agent.



      Does anyone have a clue how to do this?



      It seems there is no support for this, I found this feature request: https://bugzilla.mindrot.org/show_bug.cgi?id=2472









      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 7 '17 at 17:13

























      asked Dec 7 '17 at 8:34









      Peter

      1064




      1064




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          Yubikey documentation mentions that you can add certificates to the ssh-agent here https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html






          share|improve this answer






















          • No it does not. You can add pkcs11 providers but you cannot add certificate files without a corresponding key file on disk. There is a ticket in OpenSSH Bugzilla about it. bugzilla.mindrot.org/show_bug.cgi?id=2472
            – Peter
            Jun 5 at 14:26











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f409423%2floading-openssh-certificate-into-ssh-agent-without-the-private-key%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote













          Yubikey documentation mentions that you can add certificates to the ssh-agent here https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html






          share|improve this answer






















          • No it does not. You can add pkcs11 providers but you cannot add certificate files without a corresponding key file on disk. There is a ticket in OpenSSH Bugzilla about it. bugzilla.mindrot.org/show_bug.cgi?id=2472
            – Peter
            Jun 5 at 14:26















          up vote
          0
          down vote













          Yubikey documentation mentions that you can add certificates to the ssh-agent here https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html






          share|improve this answer






















          • No it does not. You can add pkcs11 providers but you cannot add certificate files without a corresponding key file on disk. There is a ticket in OpenSSH Bugzilla about it. bugzilla.mindrot.org/show_bug.cgi?id=2472
            – Peter
            Jun 5 at 14:26













          up vote
          0
          down vote










          up vote
          0
          down vote









          Yubikey documentation mentions that you can add certificates to the ssh-agent here https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html






          share|improve this answer














          Yubikey documentation mentions that you can add certificates to the ssh-agent here https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jun 5 at 14:54









          Kusalananda

          104k14206324




          104k14206324










          answered Jun 5 at 14:13









          Evgeny

          1,962176




          1,962176











          • No it does not. You can add pkcs11 providers but you cannot add certificate files without a corresponding key file on disk. There is a ticket in OpenSSH Bugzilla about it. bugzilla.mindrot.org/show_bug.cgi?id=2472
            – Peter
            Jun 5 at 14:26

















          • No it does not. You can add pkcs11 providers but you cannot add certificate files without a corresponding key file on disk. There is a ticket in OpenSSH Bugzilla about it. bugzilla.mindrot.org/show_bug.cgi?id=2472
            – Peter
            Jun 5 at 14:26
















          No it does not. You can add pkcs11 providers but you cannot add certificate files without a corresponding key file on disk. There is a ticket in OpenSSH Bugzilla about it. bugzilla.mindrot.org/show_bug.cgi?id=2472
          – Peter
          Jun 5 at 14:26





          No it does not. You can add pkcs11 providers but you cannot add certificate files without a corresponding key file on disk. There is a ticket in OpenSSH Bugzilla about it. bugzilla.mindrot.org/show_bug.cgi?id=2472
          – Peter
          Jun 5 at 14:26


















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f409423%2floading-openssh-certificate-into-ssh-agent-without-the-private-key%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?