[RFE] Multiple ssh-agent support

Fabiano Fidêncio fidencio at redhat.com
Fri Sep 18 23:47:43 AEST 2015


I've been working on a prototype that allows to do ssh-agent forward
between a guest, using SPICE, and a spice client
The whole idea is to have something similar to "ssh -A guest", but
integrated with the desktop environment.

As a proof of concept I wrote a standalone ssh-agent that _unlink_ the
current running agent in the guest machine and creates its socket in
the same path used by the old agent. It works as you can see in these
small demo videos:

Now where the problem starts: doing this would break the desktop
integration with its running ssh-agent.

A few possible solutions for this would involve a way to support more
than one agent, talking to both (the local one and the spice one),
merging then their responses and returning it to any application who
sent the request. Note that would be really nice if we can limit it to
do just some operations (like, ssh-add .ssh/id_rsa probably must not
go to the spice agent).

But how to do that? What could be a good approach for doing that?
Expand the agent protocol in order to have a "ssh-add --proxy
/path/to/the/new/agent/socket" can be one option.
Making SSH_AUTH_SOCK support a list of agents is another option, then
the first agent would be the "dispatcher".

These are the questions that I have and I am open to
suggestions/further discussions.

Best Regards,
Fabiano Fidêncio

More information about the openssh-unix-dev mailing list