capability to add a ssh-certificate to the SSH Agent

[Underknowledge]

Summary

I just stumbled over this nice article about signing public keys and creating SSH certificates. I handed my ssh-key management completely over to KeePassXC, its just super convenient. but its not possible for KeePassXC to load *-cert.pub files into the ssh-agent. (workaround: save them out back to .ssh and place *-cert.pub besides it) for now I only get Invalid key file, expecting an OpenSSH key

Examples

Context

It relay makes sense to sing certificates. key management is pure pain, and it would be relay beneficial to keep ssh-keys in KeePassXC.

[droidmonkey]

You don't add the signed public key to ssh agent so it wouldn't be on us to handle it. The article states it is added to your .ssh folder.

[Underknowledge]

well, yes. That is basically true for every key by default. But you can add them to the keychain. the default is that ssh-keygen utility looks for the *-cert.pub files and add them then to the agent aswell.

[user@my_user .ssh]$ ssh-add -l
The agent has no identities.
[user@my_user .ssh]$ ssh-add id_rsa 
Identity added: id_rsa (user@my_user.domain)
Certificate added: id_rsa-cert.pub (USER_ID)
[user@my_user .ssh]$ ssh-add -l
3072 SHA256:1+iCBmApvXxPbo1dE5NB01X58IuxaPu3KaDMCz+slpc user@my_user.domain (RSA)
3072 SHA256:1+iCBmApvXxPbo1dE5NB01X58IuxaPu3KaDMCz+slpc user@my_user.domain (RSA-CERT)

[binlab]

@Underknowledge nice idea! But for difficult, granular, and distributed permissions you can also look at the Vault solution from Hashicorp - https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates. Where the main idea in short-time lived certificates (as a very difficult to deliver a revocation list to a lot of sshd instancies)

[Okeanos]

I second @Underknowledge 's request for supporting loading *-cert.pub files into the agent if they are available within the already set up SSH key entry within KeePassXC. I am not even sure an interface change is necessary because if a conventionally named certificate exists as either attachment or next to an external file KeePass would be in a position to autoload it along the private key.

Also I think the comment saying

[…] The article states it is added to your .ssh folder.

is besides the point. If I wanted my SSH key pairs to live in ~/.ssh (or really, anywhere else, I can totally put them elsewhere and as long as the file permissions are good SSH doesn't care) I wouldn't have put them into KeePassXC to begin with. To maybe clarify a misconception here: the signing process will simply put the *-cert.pub file next to the original private key by default. That location is typically ~/.ssh which is why the article mentioned the certificate would reside there.

As a side note KeepassXC currently supports external files to be loaded into the ssh-agent but this also doesn't honor existing, matching *-cert.pub files either. This approach could have been something like a workaround.

So to recap, if I manually load a private key from disk using ssh-add and a matching certificate exists (either by *-cert.pub convention or using the CertificateFile directive in the ssh config, see ssh manual) the certificate will also be loaded into the agent as @Underknowledge also stated. It would be very, very cool if KeePassXC could do that as well.

[AndreGosselink]

I'd like to see this feature as well! I am keen to try it for softlinked external ssh-key files.

[AlexpFr]

I'm currently implementing the support for key certificates in the SSH agent. I hope to finish this soon...

As soon as I have something functional, I'll propose it to the maintainers.

[AlexpFr]

I've made good progress, adding and removing keys and their certificates works.

I haven't tested with multiple types of key algorithms, just with ed25519.

The code can still be improved, I tried to limit modification of the existing code to facilitate review.

While debugging, I noticed that the keys were being parsed multiple times. I made a quick fix, but I think it's possible to make it much cleaner. See this commit: SSH Agent: Fix duplicate key and config reads

If a 'QT' expert happens to come by, their help or advice would be welcome.

Feel free to provide feedback !

• Private key tab screenshot:

• Certificate tab screenshot: