Filtering which identities are forwarded by ssh-agent to a given host

Ángel González keisial at
Mon Feb 2 10:48:30 AEDT 2015

On 02/02/15 00:18, Damien Miller wrote:
> On Sun, 1 Feb 2015, Bill Nugent wrote:
>> Host
>>          ForwardIdentity      .ssh/network-a-2014-10-12
>> and allow additional ForwardIndenty to allow additional keys.
> It's not possible to do this unfortunately, but is a feature that I've
> wanted for a long time. Implementing it required teaching ssh enough
> of the agent protocol to filter requests sent through it, and doing
> it exactly right so that users' agents aren't exposed when they connect
> to a malicious server - so it's not without risk.
IMHO the way to go is not teach ssh the agent protocol, but modify the 
protocol so that each request gets prepended the hostname requesting it
(forwarded connections would contain the full chain)

Then the agent itself would decide which keys to expose to such host.
"foo is available for any host", "Provide network-a-key only to and anything that passed through"
"Key bar is shown to all hosts but a confirmation dialog will be shown 
to the user
pointing at the host requesting it.", and so on.


More information about the openssh-unix-dev mailing list