macOS bundled OpenSSH_9.4p1 ssh-add doesn't support ecdsa-sha2-nistp256-cert-v01@openssh.com

It appears that macOS bundled OpenSSH_9.4p1 ssh-add does not support the ecdsa-sha2-nistp256-cert-v01@openssh.com ECDSA certificate format, though it does support the corresponding key format.


~
serhan@pc001 ❯ ssh -V
OpenSSH_9.4p1, LibreSSL 3.3.6

~
serhan@pc001 ❯ ssh-add --apple-use-keychain /Users/serhan/.cloudflared/access.serhanekici.com-cf_key
Identity added: /Users/serhan/.cloudflared/access.serhanekici.com-cf_key (/Users/serhan/.cloudflared/access.serhanekici.com-cf_key)
Certificate added: /Users/serhan/.cloudflared/access.serhanekici.com-cf_key-cert.pub (784eaadff21018d991cbbeb90d38ffe1)

~
serhan@pc001 ❯ head -c 50 /Users/serhan/.cloudflared/access.serhanekici.com-cf_key
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJB+RObPPZQ%
~
serhan@pc001 ❯ ssh-add --apple-use-keychain /Users/serhan/.cloudflared/access.serhanekici.com-cf_key-cert.pub
Error loading key "/Users/serhan/.cloudflared/access.serhanekici.com-cf_key-cert.pub": invalid format

~
serhan@pc001 ❯ head -c 50 /Users/serhan/.cloudflared/access.serhanekici.com-cf_key-cert.pub
ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZ%

MacBook Air 15″, macOS 14.1

Posted on May 15, 2024 3:26 PM

Reply
Question marked as Top-ranking reply

Posted on May 15, 2024 5:22 PM

This is not a public key but an ECDSA certificate....



This certificate is intended to be offered to a server as shown below.



debug1: Offering public key: /Users/serhan/.cloudflared/access.serhanekici.com-cf_key-cert.pub ECDSA-CERT SHA256:vGpMXvU6hjIKTRJBRJIckcuVDtTrhVpx1ixfUUaP4h0 explicit
debug1: Server accepts key: /Users/serhan/.cloudflared/access.serhanekici.com-cf_key-cert.pub ECDSA-CERT SHA256:vGpMXvU6hjIKTRJBRJIckcuVDtTrhVpx1ixfUUaP4h0 explicit



However, macOS bundled OpenSSH `ssh-add` complaining about the certificate format. Therefore, I cannot add this certificate to my `ssh-agent`. As a result, certificate is not getting forwarded when using the `ForwardAgent yes` option or the `-a` flag which means I can use it only once. I could forward this cert to my bastion host and offer it to other servers as well if `ssh-add` would support the certificate format.


I figured it out though, leaving here if you anyone come across this as well:


Cert is not added manually (which is a very bad design choice) it is only added when you add it's key. Problem is, it was not getting added to ssh-agent automatically for some reason even when `ForwardAgent` is set. This is probably a lack of feature in OpenSSH itself.


~
serhan@pc001 ❯ ssh-add .cloudflared/access.serhanekici.com-cf_key
Identity added: .cloudflared/access.serhanekici.com-cf_key (.cloudflared/access.serhanekici.com-cf_key)
Certificate added: .cloudflared/access.serhanekici.com-cf_key-cert.pub (eceebdc019f3a062186d289fe31b54f4)


This did the trick, can be configured in config as below too.


Match host access.serhanekici.com exec "cloudflared access ssh-gen --hostname %h && ssh-add ~/.cloudflared/%h-cf_key"

Similar questions

2 replies
Question marked as Top-ranking reply

May 15, 2024 5:22 PM in response to MrHoffman

This is not a public key but an ECDSA certificate....



This certificate is intended to be offered to a server as shown below.



debug1: Offering public key: /Users/serhan/.cloudflared/access.serhanekici.com-cf_key-cert.pub ECDSA-CERT SHA256:vGpMXvU6hjIKTRJBRJIckcuVDtTrhVpx1ixfUUaP4h0 explicit
debug1: Server accepts key: /Users/serhan/.cloudflared/access.serhanekici.com-cf_key-cert.pub ECDSA-CERT SHA256:vGpMXvU6hjIKTRJBRJIckcuVDtTrhVpx1ixfUUaP4h0 explicit



However, macOS bundled OpenSSH `ssh-add` complaining about the certificate format. Therefore, I cannot add this certificate to my `ssh-agent`. As a result, certificate is not getting forwarded when using the `ForwardAgent yes` option or the `-a` flag which means I can use it only once. I could forward this cert to my bastion host and offer it to other servers as well if `ssh-add` would support the certificate format.


I figured it out though, leaving here if you anyone come across this as well:


Cert is not added manually (which is a very bad design choice) it is only added when you add it's key. Problem is, it was not getting added to ssh-agent automatically for some reason even when `ForwardAgent` is set. This is probably a lack of feature in OpenSSH itself.


~
serhan@pc001 ❯ ssh-add .cloudflared/access.serhanekici.com-cf_key
Identity added: .cloudflared/access.serhanekici.com-cf_key (.cloudflared/access.serhanekici.com-cf_key)
Certificate added: .cloudflared/access.serhanekici.com-cf_key-cert.pub (eceebdc019f3a062186d289fe31b54f4)


This did the trick, can be configured in config as below too.


Match host access.serhanekici.com exec "cloudflared access ssh-gen --hostname %h && ssh-add ~/.cloudflared/%h-cf_key"

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

macOS bundled OpenSSH_9.4p1 ssh-add doesn't support ecdsa-sha2-nistp256-cert-v01@openssh.com

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.