ssh-agent use in different security domains

Saku Ytti saku at
Tue Oct 25 21:48:52 EST 2011

On 25 October 2011 13:28, Damien Miller <djm at> wrote:

> to another host. The risk comes in when your _forward_ your agent to a
> potentially-untrustworthy server. If you aren't forwarding your agent
> then you don't need to worry.

Quite. I desire to connect from domain1-server1 to domain1-server2
and from domain2-server1 to domain2-server2, so forwarding is needed.

> If you are forwarding your agent, then right now we don't have any way to
> limit key visibility. To do this we'd need to either build it into
> ssh-agent or into ssh itself.

Maybe 'ssh-add -c' is something I want (otoh it should prompt always?
Which would be annoying. But I couldn't get it working). I'd really prefer
.ssh/known_hosts style, like .ssh/agent_db,  where agent would remember
when it is allowed to sign.

> alleviated somewhat if the agent code were in a library that is shared
> by ssh-add / ssh and possible ssh-agent - I've made a small start towards
> this on the plane back from EuroBSDCon, but it will be a while before it
> is ready.

That's good news, hope it pans out. Just to verify that I'm not missing
something obvious. As I understand this is fairly typical usage scenario.
How are other people addressing this?


More information about the openssh-unix-dev mailing list