You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jul 19, 2018. It is now read-only.
I not infrequently would like to authenticate to a host with one ssh-agent key but only forward access to another, less privileged key to the remote host. Because ssh uses the same agent connection for both direct authentication and agent forwarding, there is no straightforward way to do this today even with ssh-agent-filter. An awkward way of making this work would be to mark the authentication key as only being allowed to use only once, implicitly for the initial ssh authentication; afterwards it would be unavailable for use, so the remote host would not have access to it.
This feature would unfortunately be susceptible to problems; for instance, if the authentication key is not actually used in the initial connection, it would remain available through the forwarded agent. This may make it something that you don't want to see implemented in ssh-agent-filter, which is fair enough. If this does seem like a feature that you're willing to accept (possibly with elaboration, for example so that such keys are made unavailable within a few seconds even if they're not used), I'd be happy to take a try at implementing it.
(It's also possible that my need for this feature actually means that I'm setting up my keys in a lazy way and I should be authenticating with more narrowly privileged keys.)
I not infrequently would like to authenticate to a host with one ssh-agent key but only forward access to another, less privileged key to the remote host. Because ssh uses the same agent connection for both direct authentication and agent forwarding, there is no straightforward way to do this today even with ssh-agent-filter. An awkward way of making this work would be to mark the authentication key as only being allowed to use only once, implicitly for the initial ssh authentication; afterwards it would be unavailable for use, so the remote host would not have access to it.
This feature would unfortunately be susceptible to problems; for instance, if the authentication key is not actually used in the initial connection, it would remain available through the forwarded agent. This may make it something that you don't want to see implemented in ssh-agent-filter, which is fair enough. If this does seem like a feature that you're willing to accept (possibly with elaboration, for example so that such keys are made unavailable within a few seconds even if they're not used), I'd be happy to take a try at implementing it.
(It's also possible that my need for this feature actually means that I'm setting up my keys in a lazy way and I should be authenticating with more narrowly privileged keys.)