On 02/02/15 00:18, Damien Miller wrote:
On Sun, 1 Feb 2015, Bill Nugent wrote:
Host network-a-gateway.example.com
ForwardIdentity .ssh/network-a-2014-10-12
and allow additional ForwardIndenty to allow additional keys.
It's not possible to do this unfortunately, but is a feature that I've
wanted for a long time. Implementing it required teaching ssh enough
of the agent protocol to filter requests sent through it, and doing
it exactly right so that users' agents aren't exposed when they connect
to a malicious server - so it's not without risk.
IMHO the way to go is not teach ssh the agent protocol, but modify the
agent
protocol so that each request gets prepended the hostname requesting it
(forwarded connections would contain the full chain)
Then the agent itself would decide which keys to expose to such host.
"foo is available for any host", "Provide network-a-key only to
ssh.network-a.com and anything that passed through ssh.network-a.com."
"Key bar is shown to all hosts but a confirmation dialog will be shown
to the user
pointing at the host requesting it.", and so on.
Regards
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
