ForwardAgent without IdentityAgent?
Peter Stuge
peter at stuge.se
Tue Jul 26 00:47:04 AEST 2022
Klemens Nanni wrote:
> In theory, I could probably use a single agent and implement my
> desired separation between distinct sites with such rules, but that
> seems a) more error prone to me and b) requires more duplication, e.g.
> hostnames and their relation now have to be manually entered into
> ssh-agent(1) with ssh-add(1)'s `-h'.
I'm not sure even that will accomplish what you want.
Once an agent socket is forwarded to A, A can communicate with that
agent at will.
If the agent can know to respond differently based on extra
information (e.g. that a request is coming from B through A) then it
could implement the rules you want, but AFAIK the agent can only know
*for sure* that a request arrived from A, nothing more.
The agent can't know whether A is truthful about a request originating
from B or from A itself.
I think you have to combine ProxyJump with a potentially complex
local agent setup/rules, and *never* forward any agent socket in
order to limit visibility of specific keys to specific hosts.
Kind regards
//Peter
More information about the openssh-unix-dev
mailing list