On Sun, 24 Jul 2022, Klemens Nanni wrote: > Hi, > > I usually use distinct IdentityFile values for distinct sites without > IdentityAgent set or ssh-agent(1) running, so site A never sees login > attempts with !A keys. > > Now I want to forward an agent containing keys for site B onto site A. > Logging into A shall only use its respective key and from A I want to > to be able to connect to B using the forwarded agent. You might also be able to use https://www.openssh.com/agent-restrict.html for this. > Having read ssh_config(5)'s ForwardAgent description, my impression was > that setting this option to a socket path should be enough, i.e. > $ ssh -oForwardAgent=/path/to/B.sock A > > Testing however shows that ForwardAgent has no effect unless > IdentityAgent is set whatever yields the same socket. > > This in turn causes SSH to use the identity agent for authentication > against A (explicitly undesired) and adding both A and B keys to the > agent forwarded would result in using both keys A and B for > authentication against B (explicitly undesired). > > It is not obvious to me from the manual that ForwardAgent requires > IdentityAgent, neither does it make sense to me. > > What is the benefit of overwriting IdentityAgent's socket path with > ForwardAgent=/path/to/sock? I think this is likely to be an implementation detail that leaked out, from not plumbing the IdentityAgent path through to sshconnect2.c:ssh_get_authentication_socket() and it should probably be cleaned up to allow fully separate Identity/ForwardAgent. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
