On Fri, Sep 18, 2015 at 10:58 PM, Ángel González <keisial@xxxxxxxxx> wrote: > On 18/09/15 15:47, Fabiano Fidêncio wrote: >> >> Howdy! >> >> I've been working on a prototype that allows to do ssh-agent forward >> between a guest, using SPICE, and a spice client >> (remote-viewer/virt-viewer/spicy) >> The whole idea is to have something similar to "ssh -A guest", but >> integrated with the desktop environment. >> >> As a proof of concept I wrote a standalone ssh-agent that _unlink_ the >> current running agent in the guest machine and creates its socket in >> the same path used by the old agent. > > unlinking the socket seems a bit overkill. You could play with > SSH_AUTH_SOCK Playing with SSH_AUTH_SOCK may be a bit problematic. As far as I understand it would require a session restart in order to set a new value to the env var (at least using GNOME). Btw, I would like to be really clear here that I am focused in a DE-agnostic solution. :-) > > > >> A few possible solutions for this would involve a way to support more >> than one agent, talking to both (the local one and the spice one), >> merging then their responses and returning it to any application who >> sent the request. Note that would be really nice if we can limit it to >> do just some operations (like, ssh-add .ssh/id_rsa probably must not >> go to the spice agent). >> > I would make a proxy ssh agent that linearly attempts from each > child agent. The add operations would always go to the first agent > (unless it returned an error?). > > I also like the idea of SSH_AUTH_SOCK containing a list of sockets. > The proxy agent would be the spice one or the one already running in the system? This part is very important, because when you are doing a ssh-add .ssh/id_rsa you really want the key to be added to your system agent (it means, gnome-keyring-daemon agent or ssh-agent, depending on the DE you're using). Considering we want to have the system agent as a dispatcher ... how would we add a second agent to it without extending the protocol? Again, adding it to SSH_AUTH_SOCK may be a solution, but then all DEs must add the spice agent socket path independently if it's running or not. That's the reason I still think that having a ssh-add -p path/to/the/socket would be better. It could be dynamically set and would not require a DE session restart. Best Regards, -- Fabiano Fidêncio _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
