On 01/06/15 11.28, Damien Miller wrote: > On Sat, 30 May 2015, Kasper Dupont wrote: > > > As far as I can tell when the ssh command uses an agent to > > authenticate to a server and then forwards an agent to that server, it > > will always use the same agent for both purposes. > > > > Has there been any attempt to make it possible for the ssh command > > to use two different agents, such that I can use one agent to > > authenticate and then forward a different agent to the server? > > You could probably rig something up using the Unix domain socket > forwaring that was added a couple of releases ago. Wouldn't that require an updated server? What I had in mind would be a fairly simple client side change that wouldn't change the protocol used between client and server in any way. > > More generally, I've long wanted the ability to restrict which keys are > made available through a forwarded-agent but doing so either requires > teaching ssh most of the agent protocol and moving ssh into the trust > path for agent keys, or a more substantial rearchitecture of how agents > are forwarded (giving each ssh a long-lived socket to the agent, or some > sort of cookie that stood for one instead of creating socket on-demand). I have seen such a thing implemented externally to the ssh client: http://serverfault.com/a/660299/214507 But if I were to use that tool, I would still like the ssh client to use the unfiltered agent to authenticate and then forward the filtered client. -- Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer #define _(_)"d.%.4s%."_"2s" /* This is my email address */ char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev