Re: Using two agents

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 01/06/15 11.28, Damien Miller wrote:
> On Sat, 30 May 2015, Kasper Dupont wrote:
> 
> > As far as I can tell when the ssh command uses an agent to
> > authenticate to a server and then forwards an agent to that server, it
> > will always use the same agent for both purposes.
> >
> > Has there been any attempt to make it possible for the ssh command
> > to use two different agents, such that I can use one agent to
> > authenticate and then forward a different agent to the server?
> 
> You could probably rig something up using the Unix domain socket
> forwaring that was added a couple of releases ago.

Wouldn't that require an updated server? What I had in mind
would be a fairly simple client side change that wouldn't
change the protocol used between client and server in any
way.

> 
> More generally, I've long wanted the ability to restrict which keys are
> made available through a forwarded-agent but doing so either requires
> teaching ssh most of the agent protocol and moving ssh into the trust
> path for agent keys, or a more substantial rearchitecture of how agents
> are forwarded (giving each ssh a long-lived socket to the agent, or some
> sort of cookie that stood for one instead of creating socket on-demand).

I have seen such a thing implemented externally to the ssh
client: http://serverfault.com/a/660299/214507

But if I were to use that tool, I would still like the ssh
client to use the unfiltered agent to authenticate and then
forward the filtered client.

-- 
Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */
char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6);
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev





[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux