add keys and certificate to forwarded agent on remote host
Rory Campbell-Lange
rory at campbell-lange.net
Tue Sep 18 05:34:41 AEST 2018
On 17/09/18, Peter Stuge (peter at stuge.se) wrote:
> Rory Campbell-Lange wrote:
> > Can ssh-add work on the remote socket file?
>
> I expect that it will just work<tm>. The local socket is just a
> socket, and the protocol[1] message SSH_AGENT_ADD_KEY is the same.
Local:
$ ssh-agent > /tmp/agent.env
$ source /tmp/agent.env
$ ssh-add ~/.ssh/id_user
$ ssh -A remote
Remote:
$ SSH_AUTH_SOCK=/tmp/ssh-1rVbCSbuDP/agent.3145
$ ssh-add newkey
Identity added: newkey (newkey)
Local:
$ source /tmp/agent.env
$ ssh-add -l
2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA)
2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA-CERT)
2048 SHA256:SZG...5hUQ newkey (RSA)
That worked perfectly, it seems.
> > Is such an operation advisable?
>
> That's up to you. ssh-add decrypts the private key locally where invoked
> and transfers the key in a form immediately usable to the agent.
>
> Once the agent has the key, it's not really possible to force the agent
> to remove it.
I guess one could set a short life on the remotely added key, such as:
Remote:
SSH_AUTH_SOCK=/tmp/ssh-X85qP7jRtG/agent.4079
$ ssh-add -t 300 shortlifekey
Identity added: shortlifekey (shortlifekey)
Lifetime set to 300 seconds
Local:
$ ssh-add -l
2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA)
2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA-CERT)
2048 SHA256:SZG...5hUQ newkey (RSA)
2048 SHA256:7IS...JRi8 shortlifekey (RSA)
wait 5 minutes...
2048 SHA256:32Cv...qYBs /home/user/.ssh/id_user (RSA)
2048 SHA256:32Cv...qYBs /home/user/.ssh/id_user (RSA-CERT)
2048 SHA256:SZGf...5hUQ newkey (RSA)
Thanks for the great pointers
Rory
More information about the openssh-unix-dev
mailing list