Filtering which identities are forwarded by ssh-agent to a given host
Damien Miller
djm at mindrot.org
Mon Feb 2 13:53:44 AEDT 2015
On Mon, 2 Feb 2015, ?ngel Gonz?lez wrote:
> IMHO the way to go is not teach ssh the agent protocol, but modify the agent
> protocol so that each request gets prepended the hostname requesting it
> (forwarded connections would contain the full chain)
Then you have to modify all of ssh, sshd and ssh-agent and doesn't
work until they are all upgraded.
Moreover, unless you include signing (by the hostkey) for forwarded hops
and verification of same at the agent side, then you can't trust anything
past the first hop.
That doesn't seem any easier to deploy or to get right (the hostkey
signing would be particularly scary).
-d
More information about the openssh-unix-dev
mailing list