[RFE] Multiple ssh-agent support

Fabiano Fidêncio fidencio at redhat.com
Sat Sep 19 10:38:33 AEST 2015

On Fri, Sep 18, 2015 at 10:58 PM, Ángel González <keisial at gmail.com> wrote:
> On 18/09/15 15:47, Fabiano Fidêncio wrote:
>> Howdy!
>> I've been working on a prototype that allows to do ssh-agent forward
>> between a guest, using SPICE, and a spice client
>> (remote-viewer/virt-viewer/spicy)
>> The whole idea is to have something similar to "ssh -A guest", but
>> integrated with the desktop environment.
>> As a proof of concept I wrote a standalone ssh-agent that _unlink_ the
>> current running agent in the guest machine and creates its socket in
>> the same path used by the old agent.
> unlinking the socket seems a bit overkill. You could play with

Playing with SSH_AUTH_SOCK may be a bit problematic. As far as I
understand it would require a session restart in order to set a new
value to the env var (at least using GNOME).
Btw, I would like to be really clear here that I am focused in a
DE-agnostic solution. :-)

>> A few possible solutions for this would involve a way to support more
>> than one agent, talking to both (the local one and the spice one),
>> merging then their responses and returning it to any application who
>> sent the request. Note that would be really nice if we can limit it to
>> do just some operations (like, ssh-add .ssh/id_rsa probably must not
>> go to the spice agent).
> I would make a proxy ssh agent that linearly attempts from each
> child agent. The add operations would always go to the first agent
> (unless it returned an error?).
> I also like the idea of SSH_AUTH_SOCK containing a list of sockets.

The proxy agent would be the spice one or the one already running in the system?
This part is very important, because when you are doing a ssh-add
.ssh/id_rsa you really want the key to be added to your system agent
(it means, gnome-keyring-daemon agent or ssh-agent, depending on the
DE you're using).
Considering we want to have the system agent as a dispatcher ... how
would we add a second agent to it without extending the protocol?
Again, adding it to SSH_AUTH_SOCK may be a solution, but then all DEs
must add the spice agent socket path independently if it's running or
not. That's the reason I still think that having a ssh-add -p
path/to/the/socket would be better. It could be dynamically set and
would not require a DE session restart.

Best Regards,
Fabiano Fidêncio

More information about the openssh-unix-dev mailing list