I want to write an SSH agent that knows what user/host you're trying to connect to, but the protocol doesn't provide that. So I just had a ridiculous idea. What if I make a FUSE filesystem that materializes listening UNIX sockets on the fly, and set IdentityAgent to <fs>/%r@%h
-
So, centrally managed keys that you’re trying to interface with like a (forwarded) agent? Thus the “”agent needs to know what key you need so that it can provide it to you?
Correct. It's a design for a central authentication system that does not require deeply integrated target hosts (no LDAP/cert system/uniform key management) and can provide auditing (no just shoving people's personal private keys into all authorized_keys files).
-
-
ACK I question the viability of the audit. You can know when I request a given key. But you have now way to know if I keep a copy.
Check out SSH certs. You can expire them, or specify which command they can be used with. -
That is not how SSH agents work. You do not request the key, you request to sign something with it. Every single use has to go through the agent. That's the entire point!
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.