Closed msabatier closed 2 years ago
Are you using KeeAgent in agent mode or client mode? And if client mode, which client?
I noticed that in the OpenSSH agent, it loads two copies of the private key, one with the certificate and one without. In my testing on Linux (both agent mode and client mode) I was able to connect to the docker container with only the copy with the certificate, so I left it that way.
Do you use the same key without a certificate to connect to some servers?
I was able to reproduce the problem. It turns out the bug was unrelated to having a separate copy of the private key. The problem was that KeeAgent was sending the wrong signing algorithm name to ssh
(it wasn't stripping off the -cert
part). This wasn't a problem for RSA keys because the algorithm name was overridden due to special SSH agent protocol flags that only apply to RSA keys. But the bug was apparent when using an ED25519 key.
I am using Keeagent in agent mode.
I confirm that authentication with my cert is working with the latest build. You are right this was not related with the private key being loaded.
But to answer your question yes we sometimes also connect with the key and not the cert. Plus this is what openssh does when you use ssh-add as you noticed. That's why in my original PR I was loading both.
Hi David,
I tested with Keepass v2.51.1 on Windows 11 64bit with this build https://github.com/dlech/KeeAgent/actions/runs/2374959331
When loading a key with certificate into keeagant using ssh-add everyting works as expected and
ssh-add -l
givesWhen I use that key to connect it works
When adding the same key in the keepass file and configuring keeagent to load it from file only the cert is loaded. A
ssh-add -l
givesWhen trying to connect it fails as the private key is not available