I can confirm the fix has been tested by our friends at Google (Anthos) for Focal 20.04, using the same patch used in 1:8.2p1-4ubuntu0.4 but *not* by using the package from focal-proposed itself.
Hopefully this still suffices? Please let me know if not and I'll re-run the verification again using an instance pulling from focal-proposed.
[RATIONALE]
Need SSH to authenticate a ``HostCertificate`` and an SSH agent that holds the corresponding host private key.
The sshd_config has the following directives:
-- HostCertificate the public host certificate whose public key matches the private key stored in the ssh agent
-- HostKey the public key of the host keypair
-- HostKeyAgent the socket of the ssh agent that holds the host private key
Before the patch, this combination didn't work - even though it authenticated successfully the setup behaved as if ``HostCertificate`` was never configured (i.e. it authenticated using only the public key and the private key in the ssh agent).
[VERIFICATION OF FIX]
````
sh-agent -a /path/agent-socket
SSH_AUTH_SOCK=/path/agent-socket ssh-add -k /path/hostkey
````
Hey everyone,
I can confirm the fix has been tested by our friends at Google (Anthos) for Focal 20.04, using the same patch used in 1:8.2p1-4ubuntu0.4 but *not* by using the package from focal-proposed itself.
Hopefully this still suffices? Please let me know if not and I'll re-run the verification again using an instance pulling from focal-proposed.
[RATIONALE]
Need SSH to authenticate a ``HostCertificate`` and an SSH agent that holds the corresponding host private key.
The sshd_config has the following directives:
-- HostCertificate the public host certificate whose public key matches the private key stored in the ssh agent
-- HostKey the public key of the host keypair
-- HostKeyAgent the socket of the ssh agent that holds the host private key
Before the patch, this combination didn't work - even though it authenticated successfully the setup behaved as if ``HostCertificate`` was never configured (i.e. it authenticated using only the public key and the private key in the ssh agent).
[VERIFICATION OF FIX] SOCK=/path/ agent-socket ssh-add -k /path/hostkey
````
sh-agent -a /path/agent-socket
SSH_AUTH_
````
Then ran ``sshd`` with:
```` cert.pub
HostCertificate /path/hostkey-
HostKey /path/hostkey.pub
HostKeyAgent /path/agent-socket
````
Then configured the CA trust anchor on the client's side.
(localhost was used, but it would be the same if a second host is used as a client)
````
ssh -vv localhost
````
shows the host certificate was seen and used.