Using two agents

Kasper Dupont kasperd at
Sat May 30 23:00:10 AEST 2015

On 30/05/15 08.34, Nico Kadel-Garcia wrote:
> On Sat, May 30, 2015 at 8:00 AM, Kasper Dupont
> <kasperd at> wrote:
> > As far as I can tell when the ssh command uses an agent to
> > authenticate to a server and then forwards an agent to that
> > server, it will always use the same agent for both purposes.
> >
> > Has there been any attempt to make it possible for the ssh
> > command to use two different agents, such that I can use one
> > agent to authenticate and then forward a different agent to
> > the server?
> That sounds really, really awkward, and would create a real
> "provenance" problem for the agent being accessed on the other side.

This couldn't possibly be a problem for the other side,
the other side will only ever know about one agent.

> What problem are you actually trying to solve?

On my laptop I have key1 and key2. I can use key1 to log in
on server1, and I can use key2 to log in on server2. I want
neither key to leave the laptop, and only key2 is allowed
to be forwarded to other hosts.

I need to ssh to server1 and on server1 run an scp command
to exchange files with server2.

This approach works as long as key1 is not encrypted:
ssh-agent bash
ssh-add key2
ssh -i key1 -A server1

But if key1 is encrypted it is highly inconvenient to have
to type my password each time I connect to server1. It is
also prone to phishing attacks, because when I type the ssh
command, how can I really know if the password prompt I see
is from ssh needing to decrypt key1 or from server1 trying
to get my decryption password.

Starting two agents locally and loading key1 and key2 into
separate agents is trivial. Storing the name of the socket
for the first agent in a secondary environment variable
before starting the second agent (and overwriting
SSH_AUTH_SOCK) is also trivial.

But now that I have two enviroment variables pointing to
the two agents, I can't ask ssh to use the first agent to
log me in on server1 and forward the other agent. Because
ssh will use SSH_AUTH_SOCK for both purposes.

It is surely possible to update the ssh command to support
the use of two separate agents (for example by allowing
the paths to the two sockets to be specified in two
configuration options).

I just want to know if anybody did this already, so I don't
waste my time reinventing the wheel.

Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */

More information about the openssh-unix-dev mailing list