upstream: In ssh(1), don't try to match certificates held in an

agent to private keys.

This matching is done to support certificates that were
loaded without their private key material, but is unnecessary for
agent-hosted certificate which always have private key material
loaded in the agent. Worse, this matching would mess up the
request sent to the agent in such a way as to break usage of these
keys when the key usage was restricted in the agent.

Patch from Thibault Cools via bz3752, ok dtucker@

OpenBSD-Commit-ID: ebfe37817dad4841c53339930565242ec683d726

Author: djmdjm

sshconnect2.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.378 2025/09/15 04:51:35 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.379 2026/01/21 23:58:20 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1341,7 +1341,7 @@ sign_and_send_pubkey(struct ssh *ssh, Identity *id)
 	 * This will try to set sign_id to the private key that will perform
 	 * the signature.
 	 */
-	if (sshkey_is_cert(id->key)) {
+	if (id->agent_fd == -1 && sshkey_is_cert(id->key)) {
 		TAILQ_FOREACH(private_id, &authctxt->keys, next) {
 			if (sshkey_equal_public(id->key, private_id->key) &&
 			    id->key->type != private_id->key->type) {