Same client key for different environments didn't work after restart client ssh-agent

[zeeshen]

I want to ssh to different environments with a single pair of ssh-key. I executed request and get multi times and ssh to different environments, it worked ok. But when I restarted my computer, I can't ssh to those machines except the last environment I requested. I found it's because ssh-agent restarted, all certs in ssh-agent were lost. The last one I requested downloaded id_rsa-cert, so it still worked.

So is there a way to make different environment singers to sign the same cert?

[bobveznat]

I have this same problem. It is impossible to name the -cert files something else. OpenSSH has hardcoded that a certificate for a given keypair must be the same name as the private key + "-cert.pub". You can see this here: https://github.com/openssh/openssh-portable/blob/master/ssh-add.c#L132 .

The workaround I came up with is to use per-environment keys on the user side. For example, I have SSH private keys for development, staging and production environments and a fourth key that I use for signing.

This means that in my .ssh directory right now I have these files:

bvanzant-prod bvanzant-prod-cert.pub bvanzant-prod.pub bvanzant-shared bvanzant-shared-cert.pub bvanzant-shared.pub bvanzant-signer bvanzant-signer.pub bvanzant-stage bvanzant-stage-cert.pub bvanzant-stage.pub

[zeeshen]

Per-environment keys may be a solution, but it's kind of annoying to ask every developer to keep so many keys. Thank you for your help. Since it's a OpenSSH problem, I'll close this issue. Good project by the way 👍 . And I think it can be better by adding an interface to reload config on runtime(I wrote a little poor golang code, so no pr :)).