On Thu, 2017-01-12 at 07:40 -0800, James Bottomley wrote:
On Thu, 2017-01-12 at 13:06 +0100, Stef Walter wrote:The thing is we'd like to get out of the business of doing SSH stuff in gnome-keyring itself: https://bugzilla.gnome.org/show_bug.cgi?id=775981 If the above were implemented would it solve your use case?Not really. Unfortunately ssh-agent doesn't have a back end store, so it insists on having the private keys passed in by ssh-add (which ssh agent does by the component primes). This basically makes ssh-agent incompatible with any hardware based key. That's not to say it can't be fixed, but the reason gnome-keyring was the number one target for this is because the architecture makes it easy.
But ssh-agent does support PKCS#11, so it *can* cope with the concept of calling an external API and not actually having the component primes locally...
Attachment:
smime.p7s
Description: S/MIME cryptographic signature