On Mon, 23 Feb 2015, Johannes Kastl wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dear all, > > bear with me, I know the SUBJECT sounds pretty unclear. I'll clarify > in a minute. And please excuse that due to the keywords being unclear > no usable help was found on google & Co... > > Assume there is a workstation, which connects to multiple machines, > one of which is considered potentially unsafe. So, it would be nice to > have agent forwarding to that machine combined with the confirmation > option of ssh-add (-c). If the 'forwarded key' is used on this > machine, the user is prompted on the workstation. An intruder cannot > use the authentication information without the user knowing (at least > that is how I understood the idea of agent confirmation). > > Using ssh-add -c on the workstation together with setting > 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour. > > Unfortunately, this means the user is asked for confirmation, each > time the keys is used. Even if it is just to connect to a safe machine > or without agent forwarding. > > Question: > Is it possible to just get asked for confirmation, when the key is > used on a machine, to which agent forwarding is used? Can this be set > on a per-host-basis, like enabling/disabling agent forwarding in > .ssh/config? No and no. You might want to check the mailing list archive for the thread "Filtering which identities are forwarded by ssh-agent to a given host" a couple of weeks ago for a related discussion. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev