-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all, bear with me, I know the SUBJECT sounds pretty unclear. I'll clarify in a minute. And please excuse that due to the keywords being unclear no usable help was found on google & Co... Assume there is a workstation, which connects to multiple machines, one of which is considered potentially unsafe. So, it would be nice to have agent forwarding to that machine combined with the confirmation option of ssh-add (-c). If the 'forwarded key' is used on this machine, the user is prompted on the workstation. An intruder cannot use the authentication information without the user knowing (at least that is how I understood the idea of agent confirmation). Using ssh-add -c on the workstation together with setting 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour. Unfortunately, this means the user is asked for confirmation, each time the keys is used. Even if it is just to connect to a safe machine or without agent forwarding. Question: Is it possible to just get asked for confirmation, when the key is used on a machine, to which agent forwarding is used? Can this be set on a per-host-basis, like enabling/disabling agent forwarding in .ssh/config? One workaround I could think if would be to use a separate ssh key just for that machine, and just add that one with the ssh-add -c option. Any hints? Thanks in advance, Johannes - -- `Voldemort himself created his worst enemy, just as tyrants everywhere do! Have you any idea how much tyrants fear the people they oppress? All of them realise that, one day [...]there is sure to be one who rises against them and strikes back.´ (Harry Potter 6) -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlTrg2MACgkQzi3gQ/xETbLqQACdG0fpMXJQPku9yiTj1tVnDMfY BpEAn1hIqIPsuWKSbgXwCd8djmITATMH =esSH -----END PGP SIGNATURE----- _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev