search for: identityagentcommand

BTW not for your usecase with the decryption, but if people want to dynamically create/provision short lived keys, they could use ?match host * exec gen-key.sh %s? config to run a program before each connection. However it can?t stdout the key material, but what it could do is update a temporary Idendity file or push it short-lived with ssh-add to the running (standard) agent. openssh at tr.id.au

...is to configure an agent for all connections made by the running user. But if you want to do it *per host*, then something needs to start the agent and something needs to tell it when it's done. I can imagine this being improved in a couple ways. For example, there could be an option like: IdentityAgentCommand foo where foo is run and the agent protocol is spoken over stdin and stdout. Or maybe the command could pass a connected socket back to its caller (via an awkward SCM_RIGHTS dance) so that the caller wouldn't be forced to remain running. --Andy