ssh-tpm-agent
ssh-tpm-agent copied to clipboard
agent-forwarding does not work with certificates
it will take me a few hours to get to the bottom of it, but it looks like when you use this agent with an ssh pki, agent forwarding appears to cause the pubkey itself, not the certificate to get forwarded. here is a scenario. I have User machine A, and hosts B and C user A has tpm user keys while B and C trust the CA which has signed A's tpm pubkey
from my user on machine A I will ssh -Av B.local
i can confirm from the output that my certificate is approved and I login without a password. within this session I now
ssh -v C.local
this authorization fails. If I move the pubkey to machine C as an authorized_key, then the forwarded agent works.
so it seems to me that ssh-tpm-agent needs to be modified to correctly forward the certificate, as this scheme works as intended when not using the tpm agent.