ssh-agent use in different security domains

Saku Ytti saku at ytti.fi
Tue Oct 25 22:26:54 EST 2011


On 25 October 2011 14:15, Damien Miller <djm at mindrot.org> wrote:

> Well, you can run multiple agents listening at specified sockets using
> ssh-agent's -a option and switch between them manually by resetting
> SSH_AUTH_SOCK. There isn't any automated way at present.

Quite high overhead, I'm going to assume that people just generally take
the risk.

I talked with my non-c-challenged coworker about this issue, and he said
he'd write patch for ssh-agent to query for permission to sign. But after few
minutes of looking into ssh, he told me that ssh-agent does not know who
is asking for the signing. Which means we'd need larger change to ssh, and
I doubt upstream would accept the patch :/.

-- 
  ++ytti


More information about the openssh-unix-dev mailing list