On 17/09/18, Peter Stuge (peter@xxxxxxxx) wrote: > Rory Campbell-Lange wrote: > > Can ssh-add work on the remote socket file? > > I expect that it will just work<tm>. The local socket is just a > socket, and the protocol[1] message SSH_AGENT_ADD_KEY is the same. Local: $ ssh-agent > /tmp/agent.env $ source /tmp/agent.env $ ssh-add ~/.ssh/id_user $ ssh -A remote Remote: $ SSH_AUTH_SOCK=/tmp/ssh-1rVbCSbuDP/agent.3145 $ ssh-add newkey Identity added: newkey (newkey) Local: $ source /tmp/agent.env $ ssh-add -l 2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA) 2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA-CERT) 2048 SHA256:SZG...5hUQ newkey (RSA) That worked perfectly, it seems. > > Is such an operation advisable? > > That's up to you. ssh-add decrypts the private key locally where invoked > and transfers the key in a form immediately usable to the agent. > > Once the agent has the key, it's not really possible to force the agent > to remove it. I guess one could set a short life on the remotely added key, such as: Remote: SSH_AUTH_SOCK=/tmp/ssh-X85qP7jRtG/agent.4079 $ ssh-add -t 300 shortlifekey Identity added: shortlifekey (shortlifekey) Lifetime set to 300 seconds Local: $ ssh-add -l 2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA) 2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA-CERT) 2048 SHA256:SZG...5hUQ newkey (RSA) 2048 SHA256:7IS...JRi8 shortlifekey (RSA) wait 5 minutes... 2048 SHA256:32Cv...qYBs /home/user/.ssh/id_user (RSA) 2048 SHA256:32Cv...qYBs /home/user/.ssh/id_user (RSA-CERT) 2048 SHA256:SZGf...5hUQ newkey (RSA) Thanks for the great pointers Rory _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev