ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email).
Thank you for sharing this feature, although, I’m starting to think that this kind of feature makes ssh-keygen a tool that does things I don’t expect it to do….
With all due respect, this is probably a redundant effort.
Upstream OpenSSH has been working on adding signatures via ssh-keygen -Y starting in 8.0:
Thank you for sharing this feature, although, I’m starting to think that this kind of feature makes ssh-keygen a tool that does things I don’t expect it to do….
That’s a reasonable point, maybe suggest they spin it out into something like
ssh-signon the mailing list.See also https://github.com/jschauma/jass which is on similar lines.
You may also be interested in age, which is in the process of being written by a cryptography engineer at Google.