PrivateKeyCommand config idea

openssh at openssh at
Tue Mar 12 14:02:12 AEDT 2024

Hey Andy,

Thanks for your input.

> I personally think the ssh-agent suggestion works poorly. It's fine if one's goal is to configure an agent for all connections made by the running user. But if you want to do it per host, then something needs to start the agent and something needs to tell it when it's done.

Personally, through a combination of sk keys, daily certificates, and ControlMasters, I don't usually have an agent on by default. Without a need to frequently cache passphrases, and preferring to avoid workflows that rely on agent forwarding, I only activate an agent selectively.

Part of what the IdentityCommand change would give me, if it were implemented, is I would no longer need to manually add ssh-agent to terminals or shells where I'll be running `git review` a lot :) I would just be able to make a one-line change to my ssh config and then everything will "just work" on every machine where I set things up identically.

As an aside, for general interest, when agents *are* needed, I have a Match stanza in client config to namespace ControlMasters. This helps avoid cross-talk between agents:

  Match exec "[[ -n $SSH_AGENT_PID ]]"
      ControlPath ~/.ssh/cm/agent-${SSH_AGENT_PID}_%r@%n:%p

  Host *
      ControlPath ~/.ssh/cm/%r@%n:%p

~ Tim

More information about the openssh-unix-dev mailing list