ssh-agent use in different security domains

Saku Ytti saku at
Thu Oct 27 06:43:10 EST 2011

On 26 October 2011 22:29, Peter Stuge <peter at> wrote:

>> Maybe 'ssh-add -c' is something I want (otoh it should prompt always?
>> Which would be annoying.
> I don't find it so annoying. It takes a few logins to get used to the
> extra prompt, but that's it. I use x11-ssh-askpass which is fast and
> shows an unobtrusive prompt.

Well I must agree with you, considering the alternative being insecure
by definition or not using ssh-agent. It doesn't seem like that big problem.

(I figured out why it didn't work for me, I'm using some gnome agent, which
likely does not support this or is just buggy)

Anyhow my coworker is quite seriously thinking writing patch, which
would  display prompt for sign requests ncluding full path between
requested and localhost, (or for legacy hosts it would just prompt
that 'legacy hosts wants to sign with identity foo', no path, no host

He said it's not exactly difficult patch to make. But how likely it would be
to get something like this integrated upstream?

Today I feel that most people simply accept the security risk, if you have
multiple ssh keys in your 'ssh-add' and you're not using -c, you are highly
likely accessing two or more security domains and are bridging the domains


More information about the openssh-unix-dev mailing list