PrivateKeyCommand config idea

Andy Lutomirski luto at
Tue Mar 12 13:11:55 AEDT 2024

On Mon, Mar 11, 2024, at 6:05 PM, Bernd Eckenfels wrote:
> BTW not for your usecase with the decryption, but if people want to 
> dynamically create/provision short lived
> keys, they could use „match host * exec %s“ config to run a 
> program before each connection.
> However it can’t stdout the key material, but what it could do is 
> update a temporary Idendity file or
> push it short-lived with ssh-add to the running (standard) agent.

I posted earlier about this -- it works very poorly.  In particular, it runs even in cases where nothing is trying to connect.  For example:

ssh -O exit host

I personally think the ssh-agent suggestion works poorly.  It's fine if one's goal is to configure an agent for all connections made by the running user.  But if you want to do it *per host*, then something needs to start the agent and something needs to tell it when it's done.

I can imagine this being improved in a couple ways.  For example, there could be an option like:

IdentityAgentCommand foo

where foo is run and the agent protocol is spoken over stdin and stdout.  Or maybe the command could pass a connected socket back to its caller (via an awkward SCM_RIGHTS dance) so that the caller wouldn't be forced to remain running.


More information about the openssh-unix-dev mailing list