On Sun, 1 Feb 2015, Bill Nugent wrote: > Howdy, > > I'm looking for a way to restrict which ssh keys are forwarded to a > given remote host because we have several ssh domains. That is, I have > two keys which I use throughout the day: > .ssh/network-a-2014-10-12 > .ssh/network-b-2014-11-22 > > I need to forward my network A key to the ssh gateway host for Network A > to allow me to log into hosts on the other side of the gateway but I > can't have the key for Network B to be forwarded. Similar thing for > Network B. Deleting and adding is painful at best. I've experimented > with IdentiesOnly=yes and IdentityFiles but on the network A gateway I > still see all of my loaded keys including Network B. Is there a way to > do this already? If not, would a Buzilla enhancement request be > welcome? Perhaps requesting something along the lines of: > > Host network-a-gateway.example.com > ForwardIdentity .ssh/network-a-2014-10-12 > and allow additional ForwardIndenty to allow additional keys. It's not possible to do this unfortunately, but is a feature that I've wanted for a long time. Implementing it required teaching ssh enough of the agent protocol to filter requests sent through it, and doing it exactly right so that users' agents aren't exposed when they connect to a malicious server - so it's not without risk. I'd still like to implement it one day, but I'm not likely to get to it any time soon (I can't speak for the other developers). OTOH you could probably write an "agent proxy" pretty easily that presented it's own SSH_AUTH_SOCK to ssh and massaged the requests and replies going through it to the real agent. E.g. agentproxy -i ~/.ssh/id_rsa_xyzzy.pub ssh -tt xyzzy-bastion ssh xyzzy This way you get to write it in the language of your choice :) The agent protocol is pretty simple and is documented in the PROTOCOL.agent file in the OpenSSH distribution, or at https://anongit.mindrot.org/openssh.git/plain/PROTOCOL.agent -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev