Using two agents

[Kasper Dupont]

On 01/06/15 11.28, Damien Miller wrote:
> On Sat, 30 May 2015, Kasper Dupont wrote:
> 
> > As far as I can tell when the ssh command uses an agent to
> > authenticate to a server and then forwards an agent to that server, it
> > will always use the same agent for both purposes.
> >
> > Has there been any attempt to make it possible for the ssh command
> > to use two different agents, such that I can use one agent to
> > authenticate and then forward a different agent to the server?
> 
> You could probably rig something up using the Unix domain socket
> forwaring that was added a couple of releases ago.

Wouldn't that require an updated server? What I had in mind
would be a fairly simple client side change that wouldn't
change the protocol used between client and server in any
way.

> 
> More generally, I've long wanted the ability to restrict which keys are
> made available through a forwarded-agent but doing so either requires
> teaching ssh most of the agent protocol and moving ssh into the trust
> path for agent keys, or a more substantial rearchitecture of how agents
> are forwarded (giving each ssh a long-lived socket to the agent, or some
> sort of cookie that stood for one instead of creating socket on-demand).

I have seen such a thing implemented externally to the ssh
client: http://serverfault.com/a/660299/214507

But if I were to use that tool, I would still like the ssh
client to use the unfiltered agent to authenticate and then
forward the filtered client.

-- 
Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */
char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6);