On 2/23/15 11:45 AM, Johannes Kastl wrote:
Assume there is a workstation, which connects to multiple machines, one of which is considered potentially unsafe. So, it would be nice to have agent forwarding to that machine combined with the confirmation option of ssh-add (-c). If the 'forwarded key' is used on this machine, the user is prompted on the workstation. An intruder cannot use the authentication information without the user knowing (at least that is how I understood the idea of agent confirmation). Using ssh-add -c on the workstation together with setting 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour. Unfortunately, this means the user is asked for confirmation, each time the keys is used. Even if it is just to connect to a safe machine or without agent forwarding. Question: Is it possible to just get asked for confirmation, when the key is used on a machine, to which agent forwarding is used? Can this be set on a per-host-basis, like enabling/disabling agent forwarding in .ssh/config?
You'll need to run 2 agents if you want different agent behaviour. Sadly I don't know of any way to select which agent gets used in ssh_config - you'd also have to wrap ssh to flip the SSH_AUTH_SOCK env var.
-- Carson _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev