search for: identityag

...or my set-up. I thought I'd > tried unsetting SSH_AUTH_SOCK before but obviously I hadn't, I guess > the need to specify the key file is a result of not having that but > it's not a problem for me really. You might like to try something like this in .ssh/config Host backup IdentityAgent none IdentityFile ~/backup_id_rsa

https://bugzilla.mindrot.org/show_bug.cgi?id=2216 Bug ID: 2216 Summary: allow forwarding a different socket than SSH_AUTH_SOCK Product: Portable OpenSSH Version: 6.5p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs

> > There must be *something* in the environment that affects this because > I'm seeing two different ways of asking for the passphrase on the same > screen. The only difference is that one is a simple terminal window > running on my system and the other is one where I have used ssh to > connect to a remote system and then ssh again back to the 'home' > system.

...accept the tokens described in the ?TOKENS? section. > Arguments to some keywords can be expanded at runtime from environment variables on the client by enclosing them in ${}, for example ${HOME}/.ssh would refer to the user's .ssh directory. [...] The keywords CertificateFile, ControlPath, IdentityAgent, IdentityFile, KnownHostsCommand, and UserKnownHostsFile support environment variables. In the implementation[1] the first argument (script or binary to be invoked) is excluded from being parsed. While the documentation quoted above can be interpreted such that this is the intended behaviour, t...

...e command, they fail to authenticate and have to do it manually. ssh_config contains a Match ... exec [command to refresh the certificate]. This sort of works, except that it runs the command far too frequently. For example, ssh -O exit [name] refreshes the certificate, and it should not do so. IdentityAgent could point to a custom agent. This would be more useful if ssh could _start_ the agent. In any case, this requires an agent, which is more complex than a tool that refreshes a certificate. PKCS11Provider doesn't seem useful. ProxyCommand could specify a command that refreshes the certif...

...nt. If this sounds like a good idea I'd be happy to give implementing it in OpenSSH a go and submit a patch. I want to get a feeling for whether any of this sounds like a workable plan before I do that. Hacky approaches that would not require changes to the ssh client include using setting IdentityAgent to <path>/%u@%h:%p where <path> is a virtual filesystem that materializes sockets as required; using LD_PRELOAD to hook the agent socket and inject the appropriate info; setting ProxyCommand to something that informs the agent ahead of time; or just wrapping ssh in something that...

...and CA key fingerprint). Changes since OpenSSH 7.8 ========================= This is primarily a bugfix release. New Features ------------ * ssh(1), sshd(8): allow most port numbers to be specified using service names from getservbyname(3) (typically /etc/services). * ssh(1): allow the IdentityAgent configuration directive to accept environment variable names. This supports the use of multiple agent sockets without needing to use fixed paths. * sshd(8): support signalling sessions via the SSH protocol. A limited subset of signals is supported and only for login or command sess...

On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote: [...] > ssh_config contains a Match ... exec [command to refresh the certificate]. This sort of works, > except that it runs the command far too frequently. For example, ssh -O exit [name] refreshes > the certificate, and it should not do so. You can have the command check if the cert is expired or near

https://bugzilla.mindrot.org/show_bug.cgi?id=3140 Bug ID: 3140 Summary: support a token for XDG_RUNTIME_DIR Product: Portable OpenSSH Version: 8.2p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org

...ar environment variables set via PAM. CVE-2015-8325, found by Shayan Sadigh. New Features ------------ * ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts". * ssh(1): Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment. * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be optionally overridden when using ssh -W. bz#2577 * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as...

...ar environment variables set via PAM. CVE-2015-8325, found by Shayan Sadigh. New Features ------------ * ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts". * ssh(1): Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment. * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be optionally overridden when using ssh -W. bz#2577 * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as...

https://bugzilla.mindrot.org/show_bug.cgi?id=3572 Bug ID: 3572 Summary: ssh-agent refused operation when using FIDO2 with -O verify-required Product: Portable OpenSSH Version: 9.3p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component:

Hi, I usually have around 10 identities loaded in my local ssh-agent and when I use the "ForwardAgent" option all them are forwarded to the remote server, which is not ideal. I usually only need to forward one (or two) of the identities and I would like to be able to choose which one(s) to forward. Looking for solutions it seems that the only option is to create a new ssh-agent, add

...for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its us...

...for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its us...

...and CA key fingerprint). Changes since OpenSSH 7.8 ========================= This is primarily a bugfix release. New Features ------------ * ssh(1), sshd(8): allow most port numbers to be specified using service names from getservbyname(3) (typically /etc/services). * ssh(1): allow the IdentityAgent configuration directive to accept environment variable names. This supports the use of multiple agent sockets without needing to use fixed paths. * sshd(8): support signalling sessions via the SSH protocol. A limited subset of signals is supported and only for login or command sess...