Pablo Escobar
2020-Oct-04 10:20 UTC
ability to select which identity to forward when using "ForwardAgent" ?
Hi, I usually have around 10 identities loaded in my local ssh-agent and when I use the "ForwardAgent" option all them are forwarded to the remote server, which is not ideal. I usually only need to forward one (or two) of the identities and I would like to be able to choose which one(s) to forward. Looking for solutions it seems that the only option is to create a new ssh-agent, add the required identities and then do the forwarding as described in https://serverfault.com/a/1012678 but this is not very convenient for daily usage mainly when I need to connect to many different servers and all my private keys are password protected. I have also found an external tool to do it ( https://github.com/tiwe-de/ssh-agent-filter ) but this tool doesn't seem to be actively maintained and a native openssh functionality would be preferred. Ideally it would be great to be able to add something like this to my ~/.ssh/config ( option "IdentitiesToForward" in this example doesn't exist and it's what I am missing) Host myserver Hostname myserver.com IdentityFile ~/.ssh/id_ed25519 ForwardAgent yes IdentitiesToForward ~/.ssh/id_ed25519,~/.ssh/id_rsa Do you think this feature or any alternative providing similar functionality could be added to openssh? Or is there any existing alternative to do it which I missed checking the docs? thanks in advance for any help or advice. best regards, Pablo.
Lars Noodén
2020-Oct-04 11:33 UTC
ability to select which identity to forward when using "ForwardAgent" ?
On 10/4/20 1:20 PM, Pablo Escobar wrote: [snip]> I usually have around 10 identities loaded in my local ssh-agent and when I> use the "ForwardAgent" option all them are forwarded to the remote server, > which is not ideal. I usually only need to forward one (or two) of the > identities and I would like to be able to choose which one(s) to forward.[snip] One work-around [1] is to use an alias. alias assh="ssh-agent ssh -o AddKeysToAgent=confirm \ -o ForwardAgent=yes" That approach will still respect what's in ssh_config(5) except for the two options it overrides. /Lars [1] https://vincent.bernat.ch/en/blog/2020-safer-ssh-agent-forwarding
Damien Miller
2020-Oct-04 12:35 UTC
ability to select which identity to forward when using "ForwardAgent" ?
On Sun, 4 Oct 2020, Pablo Escobar wrote:> Hi, > > I usually have around 10 identities loaded in my local ssh-agent and when I > use the "ForwardAgent" option all them are forwarded to the remote server, > which is not ideal. I usually only need to forward one (or two) of the > identities and I would like to be able to choose which one(s) to forward. > > Looking for solutions it seems that the only option is to create a new > ssh-agent, add the required identities and then do the forwarding as > described in https://serverfault.com/a/1012678 but this is not very > convenient for daily usage mainly when I need to connect to many different > servers and all my private keys are password protected. > > I have also found an external tool to do it ( > https://github.com/tiwe-de/ssh-agent-filter ) but this tool doesn't seem to > be actively maintained and a native openssh functionality would be > preferred. > > Ideally it would be great to be able to add something like this to my > ~/.ssh/config ( option "IdentitiesToForward" in this example doesn't exist > and it's what I am missing) > > Host myserver > Hostname myserver.com > IdentityFile ~/.ssh/id_ed25519 > ForwardAgent yes > IdentitiesToForward ~/.ssh/id_ed25519,~/.ssh/id_rsa > > Do you think this feature or any alternative providing similar > functionality could be added to openssh?Yes, I have been working on better control over what gets forwarded but not quite what you have here. Generally, I don't want to implement in ssh fine-grained control over which keys are offered for agent forwarding because that would force ssh into a much more trusted role in agent key handling than it currently occupies. Instead, I have some work-in-progress patches that let ssh-add mark a key as "local only". These keys may be used for authentication by ssh but are never forwarded. This lets users separate the two commingled roles of the agent: 1) a handy place way to use private keys without having to type the passphrase over and over and 2) a repository of keys that you want to forward to remote hosts. Patches are attached but be warned that are likely incomplete :) -d -------------- next part --------------
Pablo Escobar
2020-Oct-04 14:04 UTC
ability to select which identity to forward when using "ForwardAgent" ?
On Sun, Oct 4, 2020 at 1:37 PM Lars Nood?n <lars.nooden at gmx.com> wrote:> One work-around [1] is to use an alias. > > alias assh="ssh-agent ssh -o AddKeysToAgent=confirm \ > -o ForwardAgent=yes" > > That approach will still respect what's in ssh_config(5) except for the > two options it overrides. >Thanks for the suggestion. In a quick test the two drawbacks I found with this approach are: 1) As I start a new agent I have to type the passwords for my private keys again even if I already added them to my previously existing agent. When using a bastion host with a different private key and the ssh option "ProxyJump" or "ProxyCommand" this means typing two passwords. 2) bash autocomplete is not working when using an alias. I use autocomplete a lot because I have few dozens of hosts entries in my ~/.ssh/config In any case this seems the best alternative and I will use this approach by now. I only wanted to mention the drawbacks I noticed in case this information is useful for someone else. Thanks for your advice. regards, Pablo.> > /Lars > > [1] https://vincent.bernat.ch/en/blog/2020-safer-ssh-agent-forwarding > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Pablo Escobar
2020-Oct-04 14:14 UTC
ability to select which identity to forward when using "ForwardAgent" ?
On Sun, Oct 4, 2020 at 2:35 PM Damien Miller <djm at mindrot.org> wrote:> On Sun, 4 Oct 2020, Pablo Escobar wrote: > > Instead, I have some work-in-progress patches that let ssh-add mark a key > as "local only". These keys may be used for authentication by ssh but are > never forwarded. This lets users separate the two commingled roles of the > agent: 1) a handy place way to use private keys without having to type the > passphrase over and over and 2) a repository of keys that you want to > forward to remote hosts. > > Patches are attached but be warned that are likely incomplete :) >Thanks for your work on this topic. Indeed this seems a nice alternative approach. I don't feel confident enough to test incomplete openssh patches so I will wait in case this is released at some point. I know it's not polite to ask for release dates so I won't do it ;) but I will ask...do you expect to get this patch merged upstream at some moment? I guess the right place to check if this feature has been released would be https://www.openssh.com/releasenotes.html , right? Or is there any pull request somewhere which I can follow? regards, Pablo.> > -d
Peter Stuge
2020-Oct-05 10:04 UTC
ability to select which identity to forward when using "ForwardAgent" ?
Pablo Escobar wrote:> I usually have around 10 identities loaded in my local ssh-agent and when I > use the "ForwardAgent" option all them are forwarded to the remote server, > which is not ideal. I usually only need to forward one (or two) of the > identities and I would like to be able to choose which one(s) to forward.It may not always be sufficient, but remember that when you use proxyjump (or equivalent proxycommand) then no agent forwarding is used; all SSH process which authenticate execute only locally and connect directly to your agent. So agent forwarding is only /required/ when you run interactive shells on intermediate remote hosts. //Peter
Jakob Schürz
2020-Oct-08 22:27 UTC
ability to select which identity to forward when using "ForwardAgent" ?
Do you know the ssh-option "IdentityAgent"? Look in the man-pages. I wrote in the last days some little scripts to automate all this... inspired by ssh-ident (you can find on github). I have to cleanup the code from some personalized stuff, then i can send a github-link to this thread, where you can define and select easy which identities are used for which connections. I'm working with IdenityAgent and a Match-section in ~/.ssh/config bye jakob Am 04.10.20 um 12:20 schrieb Pablo Escobar:> Hi, > > I usually have around 10 identities loaded in my local ssh-agent and when I > use the "ForwardAgent" option all them are forwarded to the remote server, > which is not ideal. I usually only need to forward one (or two) of the > identities and I would like to be able to choose which one(s) to forward. > > Looking for solutions it seems that the only option is to create a new > ssh-agent, add the required identities and then do the forwarding as > described in https://serverfault.com/a/1012678 but this is not very > convenient for daily usage mainly when I need to connect to many different > servers and all my private keys are password protected. > > I have also found an external tool to do it ( > https://github.com/tiwe-de/ssh-agent-filter ) but this tool doesn't seem to > be actively maintained and a native openssh functionality would be > preferred. > > Ideally it would be great to be able to add something like this to my > ~/.ssh/config ( option "IdentitiesToForward" in this example doesn't exist > and it's what I am missing) > > Host myserver > Hostname myserver.com > IdentityFile ~/.ssh/id_ed25519 > ForwardAgent yes > IdentitiesToForward ~/.ssh/id_ed25519,~/.ssh/id_rsa > > Do you think this feature or any alternative providing similar > functionality could be added to openssh? > > Or is there any existing alternative to do it which I missed checking the > docs? > > thanks in advance for any help or advice. > best regards, > Pablo. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- lore ipsum
Seemingly Similar Threads
- Forward only specific identities
- Patch to add "warn" value to ForwardX11 and ForwardAgent
- [Bug 1499] New: Add "ForwardAgent ask" to ssh_config
- [Bug 2667] New: ssh-add does not display key comments for the first key added
- Configure option '--with-ssh1' breaks openssh-7.3p1