I have a script I've used over the years for precisely this kind of wizardry. https://github.com/jbeverly/ssh_client_cmdline The one example in bin does what CanonicalizeHostname basically does now; I don't have the agent flipping one up in git (perhaps I'll push it when I get home) Figured I'd mention it in case it turned out to be handy. On Monday, February 23, 2015 12:50 PM, Carson Gaspar <carson@xxxxxxxxxx> wrote: On 2/23/15 11:45 AM, Johannes Kastl wrote: > Assume there is a workstation, which connects to multiple machines, > one of which is considered potentially unsafe. So, it would be nice to > have agent forwarding to that machine combined with the confirmation > option of ssh-add (-c). If the 'forwarded key' is used on this > machine, the user is prompted on the workstation. An intruder cannot > use the authentication information without the user knowing (at least > that is how I understood the idea of agent confirmation). > > Using ssh-add -c on the workstation together with setting > 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour. > > Unfortunately, this means the user is asked for confirmation, each > time the keys is used. Even if it is just to connect to a safe machine > or without agent forwarding. > > Question: > Is it possible to just get asked for confirmation, when the key is > used on a machine, to which agent forwarding is used? Can this be set > on a per-host-basis, like enabling/disabling agent forwarding in > .ssh/config? You'll need to run 2 agents if you want different agent behaviour. Sadly I don't know of any way to select which agent gets used in ssh_config - you'd also have to wrap ssh to flip the SSH_AUTH_SOCK env var. -- Carson _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev