Support for SSH Certificates (2024)

Options
casmithva
casmithva
Community Member
in SSH

This question came up a couple of times in 2022, but it didn't look like anything was resolved. Since it's been two years...

For those unfamiliar with the concept, SSH certificates are host and user public keys, signed by your own internal SSH CA, that ease key approval and distribution, especially in large-scale environments. Once a user has created a public-private key-pair, the public key is signed by an (internal) SSH CA. The user then uses ssh-add to add the public key and, if present, the certificate file to the user's ssh agent. Here is a reasonably good writeup of how SSH certificates work.

Using stock ssh-add and ssh-agent on Mac OS 14, we can see the public key and certificate both being added to the agent:

$ /usr/bin/ssh-add .ssh/id_ed25519
Enter passphrase for .ssh/id_ed25519: 
Identity added: .ssh/id_ed25519 (<REDACTED>)
Certificate added: .ssh/id_ed25519-cert.pub (chris)

A remote host, when properly configured, will verify that my user certificate has not expired (expiration and inception times) and was issued by a trusted CA, whose key would have already been added to the server. This eliminates the need for me to maintain an authorized_keys file on the remote end.

I was hoping to be able to store these keys in 1Password. That certainly works; however, 1Password does not support certificates in neither the user interface nor the ssh agent. 1Password derives public keys from private keys but does not provide a way for the user to upload the certificate file, above and beyond attaching an arbitrary file. The ssh agent behind the scenes presumably also does not support certificates. For the moment, I have configured my ssh client to use the stock ssh-agent for the host that uses certificates, while everything else can go through 1Password.

Are there any plans to add support to the 1Password user interface and to the underlying ssh agent for certificates? Thanks!

1Password Version: 8.10
Extension Version: Not Provided
OS Version: macOS 14.2.1
Browser: Not Provided

Comments

  • ahnberg
    ahnberg
    Community Member
    Options

    We'd love this too. I believe you need to have the certificates added to the agent to be able to use agent forwarding with certificates; and this currently doesn't work with the 1password setup (which we otherwise really enjoy and actively use)!

  • lxdlam
    lxdlam
    Community Member
    edited April 12
    Options

    Vote for this!

    Thanks to projects like step-ca and Hashicorp Vault, hosting a custom PKI is super easy nowadays, and more and more organizations are adapting SSH certificates as main authenticate solution.

    It will be a killing feature among all other password managers since no one seems support SSH cerificate by now.