Using confirmation of key usage per-host?

Johannes Kastl mail at
Tue Feb 24 06:45:46 AEDT 2015

Hash: SHA1

Dear all,

bear with me, I know the SUBJECT sounds pretty unclear. I'll clarify
in a minute. And please excuse that due to the keywords being unclear
no usable help was found on google & Co...

Assume there is a workstation, which connects to multiple machines,
one of which is considered potentially unsafe. So, it would be nice to
have agent forwarding to that machine combined with the confirmation
option of ssh-add (-c). If the 'forwarded key' is used on this
machine, the user is prompted on the workstation. An intruder cannot
use the authentication information without the user knowing (at least
that is how I understood the idea of agent confirmation).

Using ssh-add -c on the workstation together with setting
'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour.

Unfortunately, this means the user is asked for confirmation, each
time the keys is used. Even if it is just to connect to a safe machine
or without agent forwarding.

Is it possible to just get asked for confirmation, when the key is
used on a machine, to which agent forwarding is used? Can this be set
on a per-host-basis, like enabling/disabling agent forwarding in

One workaround I could think if would be to use a separate ssh key
just for that machine, and just add that one with the ssh-add -c option.

Any hints?

Thanks in advance,
- -- 
`Voldemort himself created his worst enemy, just as tyrants everywhere
do! Have you any idea how much tyrants fear the people they oppress?
All of them realise that, one day [...]there is sure to be one who
rises against them and strikes back.´ (Harry Potter 6)
Comment: Using GnuPG with SeaMonkey -


More information about the openssh-unix-dev mailing list