[RFE] Multiple ssh-agent support

Fabiano Fidêncio fidencio at redhat.com
Sat Sep 19 10:31:59 AEST 2015

On Fri, Sep 18, 2015 at 7:07 PM, Peter Stuge <peter at stuge.se> wrote:
> Fabiano Fidêncio wrote:
>> A few possible solutions for this would involve a way to support more
>> than one agent, talking to both (the local one and the spice one),
>> merging then their responses and returning it to any application who
>> sent the request. Note that would be really nice if we can limit it to
>> do just some operations (like, ssh-add .ssh/id_rsa probably must not
>> go to the spice agent).
>> But how to do that? What could be a good approach for doing that?
> One obvious approach is to create a proxy agent which looks like an
> agent to all clients, but which also integrates with SPICE.

This is a good solution, probably the best one. The main problem is
how to implement it.
We have two clear ways for adding a proxy agent. One is with the
SSH_AUTH_SOCK supporting a list of sockets, but it won't be
dynamically. In other words, if I want to replace the spice-agent for
another one, it would, most likely, require a session restart and it's
not exactly good :-\
The other option would be extend the ssh-agent protocol to support a
few new operations (add/remove the proxy agent) and then we could just
do a ssh-add --proxy path/to/the/socket ...

I am really would prefer to go for the second approach, but I really
would like to hear, from you (ssh people), if it would be accepted and
if I can proceed with the implementation.

Best Regards,
Fabiano Fidêncio

More information about the openssh-unix-dev mailing list