On Mon, Mar 11, 2024, at 6:05 PM, Bernd Eckenfels wrote: > BTW not for your usecase with the decryption, but if people want to > dynamically create/provision short lived > keys, they could use „match host * exec gen-key.sh %s“ config to run a > program before each connection. > However it can’t stdout the key material, but what it could do is > update a temporary Idendity file or > push it short-lived with ssh-add to the running (standard) agent. I posted earlier about this -- it works very poorly. In particular, it runs even in cases where nothing is trying to connect. For example: ssh -O exit host I personally think the ssh-agent suggestion works poorly. It's fine if one's goal is to configure an agent for all connections made by the running user. But if you want to do it *per host*, then something needs to start the agent and something needs to tell it when it's done. I can imagine this being improved in a couple ways. For example, there could be an option like: IdentityAgentCommand foo where foo is run and the agent protocol is spoken over stdin and stdout. Or maybe the command could pass a connected socket back to its caller (via an awkward SCM_RIGHTS dance) so that the caller wouldn't be forced to remain running. --Andy _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
