The ssh-agent protocol has always had the ability to sign data. It sounds like the new part is being able to verify signatures without needing the private key.
If you give ssh-agent some data and a public key then — if it has the corresponding private key — it will return a signature for your data using that private key.
The protocol command is SSH_AGENTC_SIGN_REQUEST and it’s the bread and butter of how the agent does its job.
Historically, it’s not tractable for public sign/verify but you can use it as a way to do symmetric encrypt/decrypt with ssh-agent.
I've been patching support for this into ssh-agent for about a decade. I wrote a PKCS#11 module which talks to the SSH agent socket to forward your smartcard [0]. Doing so requires three changes to the protocol:
1. The ability to sign arbitrary data and get back the signed result [1]; normally you get back a hashed result [2].
2. The ability to decrypt data, this is what you said. This is less important since many things only require signatures (and not all algorithms support encryption/decryption).
3. The ability to request your certificates [3] [4] this one is kinda obvious.
The benefits of this are that you can use your smartcard on the remote host to do fully authenticated password-less sudo with pam_pkcs11. You can also do anything else that requires you to use your private key to be used, which can include fetching files (TLS client certificate authentication).
Within the US Government, passwords have been being phased out since 2004, but the requirements for authenticated privilege elevation remain.
Another way to accomplish this is to use SSH forwarding of your PC/SC socket but that's less portable and more fragile (and even less secure).
Yes, though primarily forge.mil as a patched OpenSSH source. It was based on an original PKCS#11 support [0] [1]. An old version of the patch is pretty small and available here [2].
Additionally, I wrote an SSH Agent (in JavaScript, for ChromeOS, but works on any platform) that has these modifications [3]. I use this more frequently these days (via Tcl [4]).
Nobody used or asked about gpg-agent back then ) The point about ssh-agent was that it stored personal keys in memory of machines shared by multiple users (admins, shifters, devs). So everyone had to type in passwords for every "ssh" )
If you give ssh-agent some data and a public key then — if it has the corresponding private key — it will return a signature for your data using that private key.
The protocol command is SSH_AGENTC_SIGN_REQUEST and it’s the bread and butter of how the agent does its job.
Historically, it’s not tractable for public sign/verify but you can use it as a way to do symmetric encrypt/decrypt with ssh-agent.