the sshkey_equal_public() is trying to compare a cert's pub with a private key, and it never find a match which makes sshd cannot use this certificate even though its private key is in ssh-agent.
I believe it should be comparing a cert's public key with a public key in sensitive_data as follow.
Reported as https:/ /bugzilla. mindrot. org/show_ bug.cgi? id=3254 upstream:
Please take a look at line 1936 in main() function in sshd.c.
/* Find matching private key */ num_host_ key_files; j++) { equal_public( key, data.host_ keys[j] )) { data.host_ certificates[ j] = key;
for (j = 0; j < options.
if (sshkey_
sensitive_
sensitive_
break;
}
}
the sshkey_ equal_public( ) is trying to compare a cert's pub with a private key, and it never find a match which makes sshd cannot use this certificate even though its private key is in ssh-agent.
I believe it should be comparing a cert's public key with a public key in sensitive_data as follow.
/* Find matching private key */ num_host_ key_files; j++) { equal_public( key, data.host_ pubkeys[ j])) { data.host_ certificates[ j] = key;
for (j = 0; j < options.
if (sshkey_
sensitive_
sensitive_
break;
}
}
https:/ /github. com/openssh/ openssh- portable/ blob/V_ 8_4/sshd. c#L1936
Due to this HostCertificate and HostKeyAgent not working together in sshd and this affects every version of openssh back till Focal, at least.