On 30/05/15 08.34, Nico Kadel-Garcia wrote: > On Sat, May 30, 2015 at 8:00 AM, Kasper Dupont > <kasperd@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > As far as I can tell when the ssh command uses an agent to > > authenticate to a server and then forwards an agent to that > > server, it will always use the same agent for both purposes. > > > > Has there been any attempt to make it possible for the ssh > > command to use two different agents, such that I can use one > > agent to authenticate and then forward a different agent to > > the server? > > That sounds really, really awkward, and would create a real > "provenance" problem for the agent being accessed on the other side. This couldn't possibly be a problem for the other side, the other side will only ever know about one agent. > > What problem are you actually trying to solve? On my laptop I have key1 and key2. I can use key1 to log in on server1, and I can use key2 to log in on server2. I want neither key to leave the laptop, and only key2 is allowed to be forwarded to other hosts. I need to ssh to server1 and on server1 run an scp command to exchange files with server2. This approach works as long as key1 is not encrypted: ssh-agent bash ssh-add key2 ssh -i key1 -A server1 But if key1 is encrypted it is highly inconvenient to have to type my password each time I connect to server1. It is also prone to phishing attacks, because when I type the ssh command, how can I really know if the password prompt I see is from ssh needing to decrypt key1 or from server1 trying to get my decryption password. Starting two agents locally and loading key1 and key2 into separate agents is trivial. Storing the name of the socket for the first agent in a secondary environment variable before starting the second agent (and overwriting SSH_AUTH_SOCK) is also trivial. But now that I have two enviroment variables pointing to the two agents, I can't ask ssh to use the first agent to log me in on server1 and forward the other agent. Because ssh will use SSH_AUTH_SOCK for both purposes. It is surely possible to update the ssh command to support the use of two separate agents (for example by allowing the paths to the two sockets to be specified in two configuration options). I just want to know if anybody did this already, so I don't waste my time reinventing the wheel. -- Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer #define _(_)"d.%.4s%."_"2s" /* This is my email address */ char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev