Hector Martin 'marcan' wrote: > > Since forwarding ssh processes just forward agent socket bytes > > without tracking the protocol state in that stream adding a packet > > isn't trivial. > > It's reasonably trivial if the definition is that the forwarded-for > extension chain happens once when agent connections are opened. Then the > ssh process just needs to send the extension, wait for the reply > (whether positive or not-supported), eat it, and move on with forwarding > the remaining bytestream. I wouldn't like to introduce a hard requirement for agent socket connections to only perform private key operations for a single nexthop. The OpenSSH ssh client is but one agent socket consumer... But I'm all for the idea for case 1. //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev