On Mon, Mar 11, 2024, at 6:05 PM, Bernd Eckenfels wrote:> BTW not for your usecase with the decryption, but if people want to
> dynamically create/provision short lived
> keys, they could use ?match host * exec gen-key.sh %s? config to run a
> program before each connection.
> However it can?t stdout the key material, but what it could do is
> update a temporary Idendity file or
> push it short-lived with ssh-add to the running (standard) agent.
I posted earlier about this -- it works very poorly. In particular, it runs
even in cases where nothing is trying to connect. For example:
ssh -O exit host
I personally think the ssh-agent suggestion works poorly. It's fine if
one's goal is to configure an agent for all connections made by the running
user. But if you want to do it *per host*, then something needs to start the
agent and something needs to tell it when it's done.
I can imagine this being improved in a couple ways. For example, there could be
an option like:
IdentityAgentCommand foo
where foo is run and the agent protocol is spoken over stdin and stdout. Or
maybe the command could pass a connected socket back to its caller (via an
awkward SCM_RIGHTS dance) so that the caller wouldn't be forced to remain
running.
--Andy