Filtering which identities are forwarded by ssh-agent to a given host
Damien Miller
djm at mindrot.org
Mon Feb 2 10:18:54 AEDT 2015
On Sun, 1 Feb 2015, Bill Nugent wrote:
> Howdy,
>
> I'm looking for a way to restrict which ssh keys are forwarded to a
> given remote host because we have several ssh domains. That is, I have
> two keys which I use throughout the day:
> .ssh/network-a-2014-10-12
> .ssh/network-b-2014-11-22
>
> I need to forward my network A key to the ssh gateway host for Network A
> to allow me to log into hosts on the other side of the gateway but I
> can't have the key for Network B to be forwarded. Similar thing for
> Network B. Deleting and adding is painful at best. I've experimented
> with IdentiesOnly=yes and IdentityFiles but on the network A gateway I
> still see all of my loaded keys including Network B. Is there a way to
> do this already? If not, would a Buzilla enhancement request be
> welcome? Perhaps requesting something along the lines of:
>
> Host network-a-gateway.example.com
> ForwardIdentity .ssh/network-a-2014-10-12
> and allow additional ForwardIndenty to allow additional keys.
It's not possible to do this unfortunately, but is a feature that I've
wanted for a long time. Implementing it required teaching ssh enough
of the agent protocol to filter requests sent through it, and doing
it exactly right so that users' agents aren't exposed when they connect
to a malicious server - so it's not without risk.
I'd still like to implement it one day, but I'm not likely to get to
it any time soon (I can't speak for the other developers).
OTOH you could probably write an "agent proxy" pretty easily that
presented it's own SSH_AUTH_SOCK to ssh and massaged the requests
and replies going through it to the real agent. E.g.
agentproxy -i ~/.ssh/id_rsa_xyzzy.pub ssh -tt xyzzy-bastion ssh xyzzy
This way you get to write it in the language of your choice :)
The agent protocol is pretty simple and is documented in the
PROTOCOL.agent file in the OpenSSH distribution, or at
https://anongit.mindrot.org/openssh.git/plain/PROTOCOL.agent
-d
More information about the openssh-unix-dev
mailing list