The more I think about it, the more I like the self-referential nature of sshagentca talking to ssh-agent to sign certificates to distribute to another ssh-agent :-)
The main security weakness I can see is that ssh-agent will sign any data you give it - hence anyone who gets direct access to the socket could sign themselves a certificate with infinite lifetime. ssh-agent can run another process as a direct child, but I think they still communicate via a unix domain socket. BTW, I think sshagentca is a fantastic little project. One of the things I've just tested is using a U2F token (ecdsa-sk), as introduced in OpenSSH 8.2. It works perfectly with sshagentca, which then issues me with a regular key and certificate (ECDSA-CERT 384). This type of key and certificate works with older versions of sshd, meaning you can use sshagentca to bootstrap your security from U2F keys without having to upgrade sshd on all your hosts. Very neat indeed. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/6fc082c1-318f-4037-8d5b-aa9710e5eb23%40googlegroups.com.
