Key Selection with agent

Patrick Marc Preuß patrick.preuss at gmail.com
Sat Oct 11 10:57:00 EST 2014


Hi guys 

Yes i was Regfering to provide the key via the agent. 

First placeing the Key on a Remote system might be insecure. Your workstation can be assumed as Trusted enviroment. 
Second 
You can have multiple Keyes in use 
And obsolet one system (System group) 

Third you will not have failed Logins due to wrong keys . 

Will be useable for a wider Range of People 

So The question is must this be done in The Remote System or can The agent have The rule 

On The other Hand when using Gss api and kerberos can we forward the tgt or the request back to The workstation ? 

As we assume The workstation as an Trusted Source . 

----

Patrick Marc Preuss Mobil: 0172/7411263 | Email: patrick.preuss at me.com

> Am 10.10.2014 um 21:50 schrieb Iain Morgan <imorgan at nas.nasa.gov>:
> 
>> On Mon, Oct 06, 2014 at 11:50:21 +1100, Damien Miller wrote:
>>> On Sat, 4 Oct 2014, Patrick Marc Preuss wrote:
>>> 
>>> Hi All
>>> 
>>> is it possible to select the presented key based on the hash?
>> 
>> I don't know what hash you are talking about.
>> 
>>> The Situation is following:
>>> 
>>> Workstatation is running the Agent with some keys
>>> Need to use a jump host to connect to other hosts.
>> 
>> You can use something like the following in your ~/.ssh/config
>> 
>> Host foo
>>    IdentitiesOnly yes
>>    IdentityFile ~/.ssh/id_foo.pub
>> 
>> Host bar
>>    IdentitiesOnly yes
>>    IdentityFile ~/.ssh/id_bar.pub
>> 
>> ssh will use the specified key from the agent, even if it offers others.
>> 
>> Unfortunately there is no way to select/filter keys when an agent is
>> forwarded yet. It would be a nice feature though.
>> 
>> -d
> 
> If you place a copy of the public key on a remote system, and add
> appropriate entries for IdentiesOnly and IdentityFile into the
> ~/.ssh/config on that system, you can control which key is used when
> connecting to other systems.
> 
> What would be nice is if you could specify a key fingerprint with
> IdentityFile rather than having to provide the actual public key. This
> may have been what Patrick was referring to.
> 
> -- 
> Iain Morgan


More information about the openssh-unix-dev mailing list