search for: ssh_agentc_extension

...To "pin" an agent request > to a remote identity we'd either need to make the connections persistent > and add an extension to inform the agent of the remote identity OR > do this on every request. The latter is probably easier. > > I.e. have ssh inject a > > SSH_AGENTC_EXTENSION "remote-id at openssh.com" string("user at host") > > before each agent request (ssh would need to eat the reply too) and the > agent uses that to filter the keys it is prepared to send. Specifying > which hosts a given key is allowed for could be done with a key &g...

Hi, I'm prototyping an SSH agent that can broker access to a large set of remotely held SSH keys (potentially hundreds or thousands)*. Since SSH servers have a limit on maximum authentication attempts, the client needs to be able to request whichever particular key it needs for a given target user at server from the agent. Currently, the SSH agent protocol[1] only supports

...ow] vendor-specific and experimental messages to be sent via the agent protocol". ssh-agent itself offers a message of type "session-bind at openssh.com", however it does not support the standard "query" extension from Section 3.8.1 of the spec. (Issuing a "query" SSH_AGENTC_EXTENSION call to the agent results in an SSH_AGENT_FAILURE. This is the case in 9.9p1, and appears to have been the case ever since introduction of "session-bind at openssh.com" in 8.9p1.) This leads to the unfortunate situation that one cannot discover support of the "session-bind at openss...

On 2018-03-22 01:25, Peter Stuge wrote: >> Or an intermediate forwarding ssh could insert a tag (2): >> >> - SSH_AGENTC_EXTENSION "forwarded-for at openssh.com" string("user2 at host2") >> - SSH_AGENTC_REQUEST_IDENTITIES >> >> (which would of course nest with multiple chained forwards, similar to >> SMTP Received headers) > > Since forwarding ssh processes just forward agent...