Hi OpenSSH peeps! I have looked around a few man pages and the usual sources of information but I can't seem to find a way to only forward specific identities to some hosts. What I would really like to have is a way to only forward the identity that gave me a successful auth: % ls ~/.ssh | grep .pub id_ecdsa.pub id_ed25519.pub id_rsa.pub % cat .ssh/config Host example.com: IdentitiesOnly=yes IdentityFile=/home/tspriggs/.ssh/id_rsa.pub Host another-example.com: IdentitiesOnly=yes IdentityFile=/home/tspriggs/.ssh/id_ecdsa.pub # This would be super cool: Host * OnlyForwardAuthedKey=yes % ssh tspriggs at example.com example.com % ssh-agent -L ssh-rsa ... example.com % ssh tspriggs at another-example.com Permission denied (publickey) example.com % logout Connection to example.com closed. % ssh tspriggs at another-example.com another-example.com % ... Cheers, -Tim
On Sat, Mar 12, 2016 at 8:30 AM, Tim Spriggs <imoverclocked at gmail.com> wrote:> Hi OpenSSH peeps! > > I have looked around a few man pages and the usual sources of > information but I can't seem to find a way to only forward specific > identities to some hosts. What I would really like to have is a way to > only forward the identity that gave me a successful auth:Right now ssh (which forwards the request to the agent) doesn't understand the agent protocol, so it can't differentiate. It's something Damien has mentioned as something we'd like to add but I don't know of any concrete plans. In the mean time, you could use a separate agent for the key in question and point $SSH_AUTH_SOCK at the appropriate socket. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
It's possible to use a proxy to filter the SSH agent connections. I found this https://github.com/tiwe-de/ssh-agent-filter, but it didn't meet our exact needs to allow multiple users to share an identity so I implemented https://github.com/blueboxgroup/sshagentmux. -Dustin On Sun, Mar 13, 2016 at 4:14 PM, Darren Tucker <dtucker at zip.com.au> wrote:> On Sat, Mar 12, 2016 at 8:30 AM, Tim Spriggs <imoverclocked at gmail.com> > wrote: > > Hi OpenSSH peeps! > > > > I have looked around a few man pages and the usual sources of > > information but I can't seem to find a way to only forward specific > > identities to some hosts. What I would really like to have is a way to > > only forward the identity that gave me a successful auth: > > Right now ssh (which forwards the request to the agent) doesn't > understand the agent protocol, so it can't differentiate. It's > something Damien has mentioned as something we'd like to add but I > don't know of any concrete plans. > > In the mean time, you could use a separate agent for the key in > question and point $SSH_AUTH_SOCK at the appropriate socket. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Reasonably Related Threads
- [Bug 2095] New: ssh client not respecting IdentitiesOnly=yes option
- Error in cor.default(x1, x2) : missing observations in cov/cor
- [Bug 3080] New: Document IdentityFile=none and clarify interaction of defaults with IdentitiesOnly
- IdentityFile vs IdentitiesOnly
- [Bug 3681] New: SSH Agent Certificate Not Recognized with 'IdentitiesOnly' Configured