PrivateKeyCommand config idea
Andy Lutomirski
luto at kernel.org
Tue Mar 12 13:11:55 AEDT 2024
On Mon, Mar 11, 2024, at 6:05 PM, Bernd Eckenfels wrote:
> BTW not for your usecase with the decryption, but if people want to
> dynamically create/provision short lived
> keys, they could use „match host * exec gen-key.sh %s“ config to run a
> program before each connection.
> However it can’t stdout the key material, but what it could do is
> update a temporary Idendity file or
> push it short-lived with ssh-add to the running (standard) agent.
I posted earlier about this -- it works very poorly. In particular, it runs even in cases where nothing is trying to connect. For example:
ssh -O exit host
I personally think the ssh-agent suggestion works poorly. It's fine if one's goal is to configure an agent for all connections made by the running user. But if you want to do it *per host*, then something needs to start the agent and something needs to tell it when it's done.
I can imagine this being improved in a couple ways. For example, there could be an option like:
IdentityAgentCommand foo
where foo is run and the agent protocol is spoken over stdin and stdout. Or maybe the command could pass a connected socket back to its caller (via an awkward SCM_RIGHTS dance) so that the caller wouldn't be forced to remain running.
--Andy
More information about the openssh-unix-dev
mailing list