openssh
Fix ssh-agent certificate not recognized with IdentitiesOnly
The certificate present in the SSH agent is not added to the keys to be tested when 'IdentitiesOnly yes' is configured in the ~/.ssh/config file.
$ cat ~/.ssh/config
Host exemple.org
IdentityFile ~/.ssh/id_ed25519.pub
IdentitiesOnly Yes
$ ssh-add -l
256 SHA256:<FINGERPRINT> <COMMENT> (ED25519)
256 SHA256:<FINGERPRINT> <COMMENT> (ED25519-CERT)
$ ls ~/.ssh/
config id_ed25519.pub
With the same configuration, 'ssh' defaults to looking for a certificate in ~/.ssh/id_ed25519.pub-cert::
$ ssh -vvv [email protected]
debug1: identity file ~/.ssh/id_ed25519.pub type 3
debug1: identity file ~/.ssh/id_ed25519.pub-cert type -1
I believe the expected behavior should also include searching for the certificate in the agent.
I have attempted a very simple fix.
The certificate is added from the agent with 'IdentitiesOnly Yes'. The code is redundant, but it works.
Yet another inconsistency: 'ssh-keygen' generates certificates in the form id_ed25519-cert.pub, whereas "ssh" searches for id_ed25519.pub-cert.
I believe the expected behavior should also include searching for the certificate in the agent.
Why? Your configuration explicitly requests only a plain key be used:
Host exemple.org
IdentityFile ~/.ssh/id_ed25519.pub
IdentitiesOnly Yes
If you want the certificate too then why not specify it?
Closing this for lack of response. It looks like user configuration is the problem here.