Is there any solution, or even work on, limiting which keys gets forwarded where?

hubert depesz lubaczewski depesz at
Fri Oct 16 21:47:58 AEDT 2015

On Thu, Oct 15, 2015 at 07:02:58PM -0400, Nico Kadel-Garcia wrote:
> On Thu, Oct 15, 2015 at 10:34 AM, hubert depesz lubaczewski
> <depesz at> wrote:
> > Hi,
> >
> > I'm in a situation where I'm using multiple SSH keys, each to connect to
> > different set of servers.
> >
> > I can't load/unload keys on demand, as I usually am connected to at
> > least 2 of such sets.
> I *just* went through some of this, to distinguish between github SSH
> "deploykeys" and my personal key when connected to a remote server for
> which I may wish to publish updates to github.
> I personally now set up a .ssh/config with "Host" entries specified
> for different services and different "IdentityFile" services, to
> ensure use of one local key or the other for a particular "Host" as
> designated in .ssh/config. This does not require a real CNAME or valid
> DNS for the target host, and lends itself well to automated services
> where one upstream git repo requires a different SSH key than another.
> This does mean a private key on the server, which is its own risk. But
> for automated, unattended git deployment, you make tradeoffs.

So it's unacceptable for me - I have to have access to production
servers - access to them, without password, from jump host, shouldn't be
possible, but we can use ssh agent - which solves the problem.

But the flip side is that using agent opens access to all keys in it
from any connected host :(


More information about the openssh-unix-dev mailing list