Re: ForwardAgent without IdentityAgent?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Klemens Nanni wrote:
> In theory, I could probably use a single agent and implement my
> desired separation between distinct sites with such rules, but that
> seems a) more error prone to me and b) requires more duplication, e.g.
> hostnames and their relation now have to be manually entered into
> ssh-agent(1) with ssh-add(1)'s `-h'.

I'm not sure even that will accomplish what you want.

Once an agent socket is forwarded to A, A can communicate with that
agent at will.

If the agent can know to respond differently based on extra
information (e.g. that a request is coming from B through A) then it
could implement the rules you want, but AFAIK the agent can only know
*for sure* that a request arrived from A, nothing more.

The agent can't know whether A is truthful about a request originating
from B or from A itself.

I think you have to combine ProxyJump with a potentially complex
local agent setup/rules, and *never* forward any agent socket in
order to limit visibility of specific keys to specific hosts.

Kind regards

openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux