Using two agents
Kasper Dupont
kasperd at fzcpf.25.may.2015.kasperd.net
Mon Jun 1 17:37:44 AEST 2015
On 01/06/15 11.28, Damien Miller wrote:
> On Sat, 30 May 2015, Kasper Dupont wrote:
>
> > As far as I can tell when the ssh command uses an agent to
> > authenticate to a server and then forwards an agent to that server, it
> > will always use the same agent for both purposes.
> >
> > Has there been any attempt to make it possible for the ssh command
> > to use two different agents, such that I can use one agent to
> > authenticate and then forward a different agent to the server?
>
> You could probably rig something up using the Unix domain socket
> forwaring that was added a couple of releases ago.
Wouldn't that require an updated server? What I had in mind
would be a fairly simple client side change that wouldn't
change the protocol used between client and server in any
way.
>
> More generally, I've long wanted the ability to restrict which keys are
> made available through a forwarded-agent but doing so either requires
> teaching ssh most of the agent protocol and moving ssh into the trust
> path for agent keys, or a more substantial rearchitecture of how agents
> are forwarded (giving each ssh a long-lived socket to the agent, or some
> sort of cookie that stood for one instead of creating socket on-demand).
I have seen such a thing implemented externally to the ssh
client: http://serverfault.com/a/660299/214507
But if I were to use that tool, I would still like the ssh
client to use the unfiltered agent to authenticate and then
forward the filtered client.
--
Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */
char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6);
More information about the openssh-unix-dev
mailing list