Sign arbitrary data with your SSH keys

(www.agwa.name)

637 points h1x | 1 comments | 13 Nov 21 09:13 UTC | HN request time: 0s | source

Show context

gorgoiler ◴[13 Nov 21 10:03 UTC] No.29208735[source]▶

>>29208518 (OP) #

The ssh-agent protocol has always had the ability to sign data. It sounds like the new part is being able to verify signatures without needing the private key.

If you give ssh-agent some data and a public key then — if it has the corresponding private key — it will return a signature for your data using that private key.

The protocol command is SSH_AGENTC_SIGN_REQUEST and it’s the bread and butter of how the agent does its job.

Historically, it’s not tractable for public sign/verify but you can use it as a way to do symmetric encrypt/decrypt with ssh-agent.

replies(2): >>29208833 #>>29208896 #

IYasha ◴[13 Nov 21 10:28 UTC] No.29208833[source]▶

>>29208735 #

The use of ssh-agent may be forbidden at some places, even on personal machines. I knew a few. And not that it's completely unjustified..

replies(1): >>29209254 #

visualphoenix ◴[13 Nov 21 12:16 UTC] No.29209254[source]▶

>>29208833 #

How about gpg-agent? Is that forbidden?

replies(1): >>29304035 #

1. IYasha ◴[22 Nov 21 08:13 UTC] No.29304035{3}[source]▶

>>29209254 #

Nobody used or asked about gpg-agent back then ) The point about ssh-agent was that it stored personal keys in memory of machines shared by multiple users (admins, shifters, devs). So everyone had to type in passwords for every "ssh" )

↑