Re: Filtering which identities are forwarded by ssh-agent to a given host

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sun, Feb 1, 2015 at 2:52 PM, Bill Nugent <whn@xxxxxxxx> wrote:
>
> Howdy,
>
> I'm looking for a way to restrict which ssh keys are forwarded to a
> given remote host because we have several ssh domains.  That is, I have
> two keys which I use throughout the day:
>   .ssh/network-a-2014-10-12
>   .ssh/network-b-2014-11-22

I think best is to run two agents, load keys of each network to each
agent and at that context use ssh.

>
> I need to forward my network A key to the ssh gateway host for Network A
> to allow me to log into hosts on the other side of the gateway but I
> can't have the key for Network B to be forwarded.  Similar thing for
> Network B.  Deleting and adding is painful at best.  I've experimented
> with IdentiesOnly=yes and IdentityFiles but on the network A gateway I
> still see all of my loaded keys including Network B.  Is there a way to
> do this already?  If not, would a Buzilla enhancement request be
> welcome?  Perhaps requesting something along the lines of:
>
> Host network-a-gateway.example.com
>         ForwardIdentity      .ssh/network-a-2014-10-12
> and allow additional ForwardIndenty to allow additional keys.

Maybe a simpler and more secure alternative can be having
AgentEnvironmentKey or something similar to enable ssh to use multiple
agents based on the Host's ssh_config, so you actually refer to agent
and not specific keys that are shared within single agent.

>
>         Thank you,
>         Bill
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux