Using two agents

Phil Pennock phil.pennock at
Sun May 31 00:38:06 AEST 2015

On 2015-05-30 at 15:00 +0200, Kasper Dupont wrote:
> On my laptop I have key1 and key2. I can use key1 to log in
> on server1, and I can use key2 to log in on server2. I want
> neither key to leave the laptop, and only key2 is allowed
> to be forwarded to other hosts.

As validation for what Kasper is saying, so that others know that it's
not just him:

$work would use the feature you describe.  At present, the key1 that you
describe is unencrypted :( but is used for perimeter access, while key2
is used for intra-cluster access, but because it's forwarded onto less
trusted hosts, can't be allowed to be used for getting into the cluster
in the first place -- we constrain the impact of a breach.  Not ideal.

We'd like to move to using transient certificates issued for perimeter
access, using OpenSSH CA, but that requires that the key1 role be loaded
from an agent.  If we move to the same transient certificate used for
the key2 role then we get all the benefits of short-lived proof, but we
lose our containment of impact of breach.

So if you come up with a solution letting the ssh(1) command be told to
use one agent for auth to the remote host but to pass a different agent
as the forwarded auth signer, we would use it too.


More information about the openssh-unix-dev mailing list