Klemens Nanni wrote: > In theory, I could probably use a single agent and implement my > desired separation between distinct sites with such rules, but that > seems a) more error prone to me and b) requires more duplication, e.g. > hostnames and their relation now have to be manually entered into > ssh-agent(1) with ssh-add(1)'s `-h'. I'm not sure even that will accomplish what you want. Once an agent socket is forwarded to A, A can communicate with that agent at will. If the agent can know to respond differently based on extra information (e.g. that a request is coming from B through A) then it could implement the rules you want, but AFAIK the agent can only know *for sure* that a request arrived from A, nothing more. The agent can't know whether A is truthful about a request originating from B or from A itself. I think you have to combine ProxyJump with a potentially complex local agent setup/rules, and *never* forward any agent socket in order to limit visibility of specific keys to specific hosts. Kind regards //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
