Comments (6)
redrac
commented on May 26, 2024
1
It was indeed copy paste from different sessions + obscuring my company. Thanks for tracking that down; I confirmed rm -f'ing the files does indeed allow SSH to work with just the cert in agent.
from cli.
maraino
commented on May 26, 2024
Hi @redrac, this is quite weird and I cannot reproduce it.
When you see only the ECDSA-CERT in the agent, the agent has both the private key and the certificate. When you see ECDSA too means that it also has the public key, the same one that is available in the certificate. This is the expected behavior:
user@host01 [16:40:32] ~ $ ssh-add -l
256 SHA256:zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz/OAvwmabJI/4 /home/user/.ssh/id_ecdsa (ECDSA-CERT)
I've tried with these version of ssh, but wasn't able to reproduce it:
- OpenSSH_9.4p1, OpenSSL 3.1.2 1 Aug 2023
- OpenSSH_9.0p1 Ubuntu-1ubuntu8.4, OpenSSL 3.0.8 7 Feb 2023
- OpenSSH_8.2p1 Ubuntu-4ubuntu0.9, OpenSSL 1.1.1f 31 Mar 2020
from cli.
maraino
commented on May 26, 2024
In my tests, instead of Enter passphrase for key '/home/user/.ssh/id_ecdsa': I see this:
$ ssh -v ssh.host
OpenSSH_8.2p1 Ubuntu-4ubuntu0.9, OpenSSL 1.1.1f 31 Mar 2020
...
debug1: Offering public key: [email protected] ECDSA-CERT SHA256:zzz agent
debug1: Server accepts key: [email protected] ECDSA-CERT SHA256:zzz agent
debug1: sign_and_send_pubkey: no separate private key for certificate "[email protected]"
debug1: Authentication succeeded (publickey).
Authenticated to ssh.host ([x.x.x.x]:22).
...from cli.
maraino
commented on May 26, 2024
By the way, I've just noticed that the fingerprints in the ssh-add -l and ssh -v host02 are different:
SHA256:zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz/OAvwmabJI/4SHA256:zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz/6WH2c+Gt8
Can this be related, or are just copypastes from different sessions?
from cli.
maraino
commented on May 26, 2024
@redrac I've been able to reproduce your behavior, but only if I store the files in /home/user/.ssh/id_ecdsa, it works as expected in any other case.
By the way, you can also use step ssh login [email protected] it will generate an ephemeral key that will be only in the agent.
from cli.
maraino
commented on May 26, 2024
After looking at the ssh source code, if using a certificate and it is in the default location, it will first use the file instead of the agent. As the SSH server accepts that certificate, the client will ask you for the password of the file.
from cli.
Related Issues (20)
- [Bug]: TPM EK cert can be inspected but cannot be reformated to PEM
- `step certificate format` breaks on leading newlines in a PEM HOT 1
- Add the ability to set friendly name when using `step certificate p12` HOT 2
- AWS provisioner should use configured certificates in the CA
- [Bug]: Updating provisioner configuration makes template configuration disappear HOT 4
- [Bug]: Console flow broken for Azure AD (Entra) HOT 1
- [Bug]: `step ca init --provisioner acme --acme` will create an invalid config
- [Bug]: cosign documentation has wrong identity HOT 1
- Cloudflare zero trust service token HOT 2
- Stable URL to the latest release files HOT 2
- `step certificate inspect` outputs to stdout, despite docs saying otherwise
- Unknown public key type ERROR- Any chances to add support of gost-engine (openssl-gost-engine RPM or libengine-gost-openssl DEB)? HOT 1
- [Bug]: Provisioner password prompt embezzles `[` HOT 6
- [Bug]: Winget installs incorrect paths HOT 2
- unhandled critical extension in client when ca has name constraints HOT 7
- Add Scoop arm64 support via GoReleaser
- [Bug]: Azure ClientID/Client Secret Printed to StdOut When OAuth Timeout Occurs HOT 1
- [Bug]: `step ssh config` with contexts adds snippet including the wrong file
- [Bug]: Invalid JSON when applying template data to provisioner makes ca.json empty HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cli.