ForwardAgent without IdentityAgent?
Damien Miller
djm at mindrot.org
Tue Jul 26 12:18:49 AEST 2022
On Sun, 24 Jul 2022, Klemens Nanni wrote:
> Hi,
>
> I usually use distinct IdentityFile values for distinct sites without
> IdentityAgent set or ssh-agent(1) running, so site A never sees login
> attempts with !A keys.
>
> Now I want to forward an agent containing keys for site B onto site A.
> Logging into A shall only use its respective key and from A I want to
> to be able to connect to B using the forwarded agent.
You might also be able to use https://www.openssh.com/agent-restrict.html
for this.
> Having read ssh_config(5)'s ForwardAgent description, my impression was
> that setting this option to a socket path should be enough, i.e.
> $ ssh -oForwardAgent=/path/to/B.sock A
>
> Testing however shows that ForwardAgent has no effect unless
> IdentityAgent is set whatever yields the same socket.
>
> This in turn causes SSH to use the identity agent for authentication
> against A (explicitly undesired) and adding both A and B keys to the
> agent forwarded would result in using both keys A and B for
> authentication against B (explicitly undesired).
>
> It is not obvious to me from the manual that ForwardAgent requires
> IdentityAgent, neither does it make sense to me.
>
> What is the benefit of overwriting IdentityAgent's socket path with
> ForwardAgent=/path/to/sock?
I think this is likely to be an implementation detail that leaked out,
from not plumbing the IdentityAgent path through to
sshconnect2.c:ssh_get_authentication_socket() and it should probably
be cleaned up to allow fully separate Identity/ForwardAgent.
-d
More information about the openssh-unix-dev
mailing list