ForwardAgent without IdentityAgent?

Peter Stuge peter at stuge.se
Tue Jul 26 00:47:04 AEST 2022


Klemens Nanni wrote:
> In theory, I could probably use a single agent and implement my
> desired separation between distinct sites with such rules, but that
> seems a) more error prone to me and b) requires more duplication, e.g.
> hostnames and their relation now have to be manually entered into
> ssh-agent(1) with ssh-add(1)'s `-h'.

I'm not sure even that will accomplish what you want.

Once an agent socket is forwarded to A, A can communicate with that
agent at will.

If the agent can know to respond differently based on extra
information (e.g. that a request is coming from B through A) then it
could implement the rules you want, but AFAIK the agent can only know
*for sure* that a request arrived from A, nothing more.

The agent can't know whether A is truthful about a request originating
from B or from A itself.


I think you have to combine ProxyJump with a potentially complex
local agent setup/rules, and *never* forward any agent socket in
order to limit visibility of specific keys to specific hosts.


Kind regards

//Peter


More information about the openssh-unix-dev mailing list