On Wed, 21 Mar 2018, Damien Miller wrote: > I had more grandiose plans to allow each sshd to sign agent requests > with the hostkey as they passed through, to allow some sort of chain > of trust. Unfortunately that would require fairly far reaching > changes to the SSH protocol to enable binding those signatures to the > transport instance over which they occur. I should add that one of the things that put me off pursing this further was implementing ProxyJump/-J. Complex schemes for verifying agent request provenance seem inferior in most ways than using ProxyJump to set up end-to-end ssh sessions with the ultimate destination. For that case, the main thing you want to do is locally subsetting which keys ssh-agent is willing to present to remote destinations and that's a way simpler problem. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev