Community
Participate
Working Groups
Possible values: * yes -- unconditionally add loaded keys without restrictions * no -- never add keys loaded from files to the agent * ask -- ask the user for each key loaded from a file * confirm -- unconditionally add keys with a flag that makes the agent ask the user each time the key is used (for signing) * time spec -- lifetime of the key in the agent in seconds; the agent automatically removes the key after that time. * confirm + time spec If switched on, OpenSSH adds private keys to the agent once successfully loaded if they're not yet in the agent. (Before even trying to use them for authentication.) Interestingly some other combinations that appear useful are not supported by OpenSSH, for instance "ask time-spec" or "ask confirm time-spec". This can be implemented in org.eclipse.jgit.ssh.apache once Apache MINA sshd 2.8.0 is released. 2.7.0 is missing some required bits. (I did already provide the necessary upstream changes.)
Also support SecurityKeyProvider here. The value is a string, which should be the path to a middleware library the agent uses for FIDO keys (sk-* keys). This string is passed along to the agent also as a key constraint, like confirm or the lifetime. I'm not sure Apache MINA sshd handles these keys correctly, though. But passing along that value to the agent for sk-* keys is easy to implement if one does AddKeysToAgent, and then the implementation would be complete at least from the JGit side. (At least for OpenSSH-compatible agents.)
New Gerrit change created: https://git.eclipse.org/r/c/jgit/jgit/+/189376
Gerrit change https://git.eclipse.org/r/c/jgit/jgit/+/189376 was merged to [master]. Commit: http://git.eclipse.org/c/jgit/jgit.git/commit/?id=b73548bc4c9b3cedb1d381c802186dcd43829a27