Is there any solution, or even work on, limiting which keys gets forwarded where?

hubert depesz lubaczewski depesz at
Fri Oct 16 01:34:43 AEDT 2015


I'm in a situation where I'm using multiple SSH keys, each to connect to
different set of servers.

I can't load/unload keys on demand, as I usually am connected to at
least 2 of such sets.

But - some rogue "root", could get access to my agent-forwarding socket,
and in turn, get access to keys loaded to agent (not in terms of
obtaining the key, but being able to use it to log to server he
shouldn't be able to).

As I understand the only solution is to run multiple ssh-agents, and
load each key to only one of them, and then, before connecting, pick
which agent to choose.

But this is pretty tedious, and error-prone.

Is there any ready solution that could be used, or perhaps a work on
incorporating key-filtering to ssh itself?

Best regards,


The best thing about modern society is how easy it is to avoid contact with it.

More information about the openssh-unix-dev mailing list