On Sat, Sep 19, 2015 at 2:57 AM, Peter Stuge <peter@xxxxxxxx> wrote: > Fabiano Fidêncio wrote: >> > One obvious approach is to create a proxy agent which looks like an >> > agent to all clients, but which also integrates with SPICE. >> >> This is a good solution, probably the best one. The main problem is >> how to implement it. >> We have two clear ways for adding a proxy agent. > > The proxy agent is not "added" but would run "in front of" the > original local agent. In addition to simply proxying from clients to > the original local agent, the proxy agent would be capable of > communicating across SPICE. > >> One is with the SSH_AUTH_SOCK supporting a list of sockets, > > SSH_AUTH_SOCK could be dynamically changed to point to the proxy agent. How could it be done dinamically for the whole session? I mean, setting an env var for the whole DE session would require a session restart (at least for GNOME). > > >> The other option would be extend the ssh-agent protocol to support a >> few new operations (add/remove the proxy agent) and then we could just >> do a ssh-add --proxy path/to/the/socket ... > > This seems unneccessary - just put the proxy agent in front of the > original one. And here we have the problem to convince DE developers to set the spice-agent as the first one ... actually, I don't think that would be a problem for GNOME but may be a problem for any other DEs, I will try to talk to them.. Hmm. Maybe it can be the best way to go, but I still have to do some tests using kde/xfce and see the if I can ensure that the spice-agent will run firstly and then that the ssh-agent will set SSH_AUTH_SOCK=$SSH_AUTH_SOCK:/path/to/the/system/ssh/agent. Best Regards, -- Fabiano Fidêncio _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev