The only way for ssh-keygen to generate a certificate is currently to access the private key representing the CA from a file, or open the pkcs11 smartcard on its own. This makes it cumbersome to automate, as either the key is unencrypted, and/or card is PINless, as otherwise every signing attempt forces a manual password/PIN prompt. If ssh-keygen was able to access ssh-agent, it would be up to ssh-agent to hold the unencrypted private key, or to keep the pkcs11 smartcard open after having requested the PIN once. It could also be up to ssh-agent feature of gpg-agent to use a GnuPG card natively. Use case: http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-April/033813.html
Created attachment 2690 [details] add support for ssh agent to sign certificates
Created attachment 2692 [details] ssh-keygen testcase using ssh-agent for key signing I've attached a simple test case showing the efficacy of the provided patch from mebhat. In the attached example, ssh-keygen will not prompt the user for credentials when specifying a signing key that is found in the ssh-agent. The user may provide either the private key file or public key file on the command line. If the public half of the CA is NOT found in the ssh-agent, the user will be prompted to enter credentials. A more detailed test could be provided, but the intent is to demonstrate that the provided patch works as intended.
We, at the Wikimedia Foundation, are facing a scenario very similar to the one described in the linked mailing list thread, in which we'd like to use an already armored private SSH CA key to sign temporary keys. With very few minor changes I was able to apply the proposed patch to the Debian Stretch openssh source package (version 7.3p1-1) [1] and so far it is working as expected during my tests. I'd like to know what is the maintainer's position on this feature in general and this patch specifically. I'm also available if there is anything I can do to help with it. [1] https://packages.debian.org/source/stretch/openssh
Created attachment 2887 [details] ssh-keygen: Add ssh-agent support for key signing (adapted to master branch) Original patch (2690) developed against version 7.1p by Meghana Bhat <mebhat@akamai.com>. Attached patch is adapted to master branch at 010359b (post 7.3p1, on 2016-11-07) by Riccardo Coccioli <rcoccioli@wikimedia.org>. The same patch was also sent as a pull request on GitHub: https://github.com/openssh/openssh-portable/pull/54
Created attachment 2983 [details] allow CA signature operation to use keys hosted in ssh-agent This is an IMO slightly simpler patch that reuses the existing APIs to talk to ssh-agent. To support this, it adds a new sshkey_certify_custom() that allows the caller to pass in a custom signature function, which we then use in ssh-keygen to call out to the agent.
This has been committed and will be in OpenSSH 7.6
closing resolved bugs as of 8.6p1 release