Discussion:
Forward only specific identities
(too old to reply)
Tim Spriggs
2016-03-11 21:30:33 UTC
Permalink
Hi OpenSSH peeps!

I have looked around a few man pages and the usual sources of
information but I can't seem to find a way to only forward specific
identities to some hosts. What I would really like to have is a way to
only forward the identity that gave me a successful auth:

% ls ~/.ssh | grep .pub
id_ecdsa.pub
id_ed25519.pub
id_rsa.pub
% cat .ssh/config
Host example.com:
IdentitiesOnly=yes
IdentityFile=/home/tspriggs/.ssh/id_rsa.pub

Host another-example.com:
IdentitiesOnly=yes
IdentityFile=/home/tspriggs/.ssh/id_ecdsa.pub

# This would be super cool:
Host *
OnlyForwardAuthedKey=yes

% ssh ***@example.com
example.com % ssh-agent -L
ssh-rsa ...
example.com % ssh ***@another-example.com
Permission denied (publickey)
example.com % logout
Connection to example.com closed.

% ssh ***@another-example.com
another-example.com % ...

Cheers,
-Tim
Darren Tucker
2016-03-13 23:14:46 UTC
Permalink
Post by Tim Spriggs
Hi OpenSSH peeps!
I have looked around a few man pages and the usual sources of
information but I can't seem to find a way to only forward specific
identities to some hosts. What I would really like to have is a way to
Right now ssh (which forwards the request to the agent) doesn't
understand the agent protocol, so it can't differentiate. It's
something Damien has mentioned as something we'd like to add but I
don't know of any concrete plans.

In the mean time, you could use a separate agent for the key in
question and point $SSH_AUTH_SOCK at the appropriate socket.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Dustin Lundquist
2016-03-14 17:11:27 UTC
Permalink
It's possible to use a proxy to filter the SSH agent connections. I found
this https://github.com/tiwe-de/ssh-agent-filter, but it didn't meet our
exact needs to allow multiple users to share an identity so I implemented
https://github.com/blueboxgroup/sshagentmux.


-Dustin
Post by Darren Tucker
Post by Tim Spriggs
Hi OpenSSH peeps!
I have looked around a few man pages and the usual sources of
information but I can't seem to find a way to only forward specific
identities to some hosts. What I would really like to have is a way to
Right now ssh (which forwards the request to the agent) doesn't
understand the agent protocol, so it can't differentiate. It's
something Damien has mentioned as something we'd like to add but I
don't know of any concrete plans.
In the mean time, you could use a separate agent for the key in
question and point $SSH_AUTH_SOCK at the appropriate socket.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Continue reading on narkive:
Loading...