Informing the SSH agent of the target user at server

Damien Miller djm at
Thu Mar 22 14:47:25 AEDT 2018

On Wed, 21 Mar 2018, Damien Miller wrote:

> I had more grandiose plans to allow each sshd to sign agent requests
> with the hostkey as they passed through, to allow some sort of chain
> of trust. Unfortunately that would require fairly far reaching
> changes to the SSH protocol to enable binding those signatures to the
> transport instance over which they occur.

I should add that one of the things that put me off pursing this further
was implementing ProxyJump/-J. Complex schemes for verifying agent
request provenance seem inferior in most ways than using ProxyJump to
set up end-to-end ssh sessions with the ultimate destination.

For that case, the main thing you want to do is locally subsetting which
keys ssh-agent is willing to present to remote destinations and that's a
way simpler problem.


More information about the openssh-unix-dev mailing list