some thoughts about ssh-add -c -t

Marc Haber mh+openssh-unix-dev at
Thu May 4 00:35:22 AEST 2017


first let me thank you all for writing and maintainig OpenSSH. Working
with Linux for almost 20 years, my life would be totally different
without OpenSSH. And it wouldn't be any better.

I have recently experimented with ssh-add -c -t and AddKeysToAgent to
reduce attack vectors against my ssh-agent connections. While this seems
to me generally useable, having a graphical ssh-askpass pop up so often
has been proven to be generally annoying.

Additionally, I frequently ssh to another host with AgentForwarding and
X11 Forwarding disabled, start another agent there, load a key there and
ssh to a second host. That way, the second ssh-agent doesn't have a
display to invoke ssh-askpass.

Is there a way to have a non-graphical ssh-askpass on the terminal, even
if that means to have the ssh-client that was just invoked prompt for
confirmation like it does for the passphrase with AddKeysToAgent

Also, how about allowing wildcards in IdentityFile, therefore allowing
things like IdentityFile %d/.ssh/id_* ?


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

More information about the openssh-unix-dev mailing list