On Fri, Sep 18, 2015 at 7:07 PM, Peter Stuge <peter at stuge.se> wrote:> Fabiano Fid?ncio wrote: >> A few possible solutions for this would involve a way to support more >> than one agent, talking to both (the local one and the spice one), >> merging then their responses and returning it to any application who >> sent the request. Note that would be really nice if we can limit it to >> do just some operations (like, ssh-add .ssh/id_rsa probably must not >> go to the spice agent). >> >> But how to do that? What could be a good approach for doing that? > > One obvious approach is to create a proxy agent which looks like an > agent to all clients, but which also integrates with SPICE.This is a good solution, probably the best one. The main problem is how to implement it. We have two clear ways for adding a proxy agent. One is with the SSH_AUTH_SOCK supporting a list of sockets, but it won't be dynamically. In other words, if I want to replace the spice-agent for another one, it would, most likely, require a session restart and it's not exactly good :-\ The other option would be extend the ssh-agent protocol to support a few new operations (add/remove the proxy agent) and then we could just do a ssh-add --proxy path/to/the/socket ... I am really would prefer to go for the second approach, but I really would like to hear, from you (ssh people), if it would be accepted and if I can proceed with the implementation. Best Regards, -- Fabiano Fid?ncio
Fabiano Fid?ncio wrote:> > One obvious approach is to create a proxy agent which looks like an > > agent to all clients, but which also integrates with SPICE. > > This is a good solution, probably the best one. The main problem is > how to implement it. > We have two clear ways for adding a proxy agent.The proxy agent is not "added" but would run "in front of" the original local agent. In addition to simply proxying from clients to the original local agent, the proxy agent would be capable of communicating across SPICE.> One is with the SSH_AUTH_SOCK supporting a list of sockets,SSH_AUTH_SOCK could be dynamically changed to point to the proxy agent.> The other option would be extend the ssh-agent protocol to support a > few new operations (add/remove the proxy agent) and then we could just > do a ssh-add --proxy path/to/the/socket ...This seems unneccessary - just put the proxy agent in front of the original one. //Peter
On Sat, Sep 19, 2015 at 2:57 AM, Peter Stuge <peter at stuge.se> wrote:> Fabiano Fid?ncio wrote: >> > One obvious approach is to create a proxy agent which looks like an >> > agent to all clients, but which also integrates with SPICE. >> >> This is a good solution, probably the best one. The main problem is >> how to implement it. >> We have two clear ways for adding a proxy agent. > > The proxy agent is not "added" but would run "in front of" the > original local agent. In addition to simply proxying from clients to > the original local agent, the proxy agent would be capable of > communicating across SPICE. > >> One is with the SSH_AUTH_SOCK supporting a list of sockets, > > SSH_AUTH_SOCK could be dynamically changed to point to the proxy agent.How could it be done dinamically for the whole session? I mean, setting an env var for the whole DE session would require a session restart (at least for GNOME).> > >> The other option would be extend the ssh-agent protocol to support a >> few new operations (add/remove the proxy agent) and then we could just >> do a ssh-add --proxy path/to/the/socket ... > > This seems unneccessary - just put the proxy agent in front of the > original one.And here we have the problem to convince DE developers to set the spice-agent as the first one ... actually, I don't think that would be a problem for GNOME but may be a problem for any other DEs, I will try to talk to them.. Hmm. Maybe it can be the best way to go, but I still have to do some tests using kde/xfce and see the if I can ensure that the spice-agent will run firstly and then that the ssh-agent will set SSH_AUTH_SOCK=$SSH_AUTH_SOCK:/path/to/the/system/ssh/agent. Best Regards, -- Fabiano Fid?ncio