Filtering which identities are forwarded by ssh-agent to a given host

Ángel González keisial at
Mon Feb 2 06:15:01 AEDT 2015

On 01/02/15 13:52, Bill Nugent wrote:
> Howdy,
> I'm looking for a way to restrict which ssh keys are forwarded to a
> given remote host because we have several ssh domains.  That is, I have
> two keys which I use throughout the day:
>    .ssh/network-a-2014-10-12
>    .ssh/network-b-2014-11-22
> I need to forward my network A key to the ssh gateway host for Network A
> to allow me to log into hosts on the other side of the gateway but I
> can't have the key for Network B to be forwarded.  Similar thing for
> Network B.  Deleting and adding is painful at best.  I've experimented
> with IdentiesOnly=yes and IdentityFiles but on the network A gateway I
> still see all of my loaded keys including Network B.  Is there a way to
> do this already?  If not, would a Buzilla enhancement request be
> welcome?  Perhaps requesting something along the lines of:
In addition of using two agents, you can stop forwarding your keys to 
the gateway.
Instead, use a ProxyCommand to locally establish the connection to the 
hosts inside
(you will pass through the gateway, but the ssh process is local, and 
will honor your
IdentityFile setting). The problem was that the IdentityFile was being 
honored by
the ssh at the gateway host, the agent doesn't have that knowledge.


More information about the openssh-unix-dev mailing list