ssh-agent use in different security domains

Peter Stuge peter at
Thu Oct 27 07:49:00 EST 2011

Saku Ytti wrote:
> > Only your ssh program instance can talk with your ssh-agent, because it
> > is running locally. Without agent forwarding, programs on the other host
> > can't connect to your agent, much less use your keys.
> Quite, but question here is, when you need to have ssh-agent in two
> different security domains. How do to do it.

You're basically not supposed to.

Instead, you let each hop in every domain talk with your agent
directly, without using forwarding.

> Right now my solution seems to be that the higher security domain
> (domain1) I'll add with ssh-add -c and the less secure I can add
> normally (I don't care if domain1 evil admin hijacks and jumps to
> domain2 as me).

The logic seems inverted. Add the less secure domain with -c.

> To decrease annoyance of constant prompt, I'll use ControlMaster
> for domain1.

It's not so annoying, really. But ControlMaster is a good idea in any
case! It makes everything faster too!

> Optiomal solution will inform ssh-agent who exactly is requesting
> the signing, so user can decide if it's expected/allowed or not.

Regardless of C skill you've studied the SSH and agent protocols by
now, so you know that this is not so simple.


More information about the openssh-unix-dev mailing list