RFC: opkssh-agent feature

[Foxboron]

opkssh might want to issue certificates to keys that are only exposed in the ssh-agent keyring. As the ssh-agent protocol does not allow you to add a certificate without also providing a private key, we need to shim the socket.

This allows us a bit better control of how to provide keys and certificates to the ssh connection.

Usage:

$ eval $(ssh-agent)
$ export SSH_AUTH_SOCK=$(opkssh-agent ${SSH_AUTH_SOCK})

This would also allow us to run the -auto-refresh feature as part of the agent, instead of as a seperate invocation of opkssh login.

[Foxboron]

Is there any other features we would like to have with this?

I suspect I can just lift most of my code from ssh-tpm-agent to implement this feature, and it would probably not be very hard to do.

https://github.com/Foxboron/ssh-tpm-agent/blob/master/agent/agent.go

[EthanHeilman]

If you want to talk about this over hangouts, we are having an community meeting this Wednesday

OpenPubkey Community Meeting 2:00 PM (ET) 6:00pm (GMT)
Wednesday, April 16 · 2:00 – 3:00pm
Time zone: America/New_York
Google Meet joining info
Video call link: https://meet.google.com/hvc-dywm-wzk

[Foxboron]

6PM GMT is 20:00 local on my end, I'm not very big on meetings outside of work :) I'll note the time down but it's also easter so no promises on my end!

Thanks for the headsup!

[EthanHeilman]

No worries if you can't make it.