Forwarding access to a subset of ssh-agent identitites

ssh security linux

Solution 1:

I implemented an ssh-agent-filter for myself, use it with:

$ afssh -c id_bluecorp -- server1.bluecorp.com
$ afssh -c id_bluecorp -- server2.bluecorp.com
$ afssh -c id_redcorp -- server42.redcorp.com

It's already in Debian (and Ubuntu).

Solution 2:

You can use multiple agents and specify each specifically using IdentityAgent and add the keys you want with IdentityFile and set AddKeysToAgent to yes. You will have to specify the unix socket for each ssh-agent to bind to with the -a option. You could also of course add the keys manually with ssh-add, after you create each one.

First create your agent:

ssh-agent -a ~/.ssh/redcorp-agent

Then in your .ssh/config have something like this:

Host redcorp* *.redcorp.com
IdentityFile ~/.ssh/redcorp.pem
IdentityAgent ~/.ssh/redcorp-agent
AddKeysToAgent yes
ForwardAgent yes

Related

What's the best way to copy deduplicated files onto a new Server 2012 drive?
Is it wise to use SSHDs (Solid state hybrid drives) on a server?
Enabling VMware EVC on Westmere E5645 CPU only accepts "Nehalem" mode
Excessive 'TCP Dup ACK' & 'TCP Fast Retransmission' causing issues on network. What's causing this?
How can I have Supervisor running my programs as another user?
ESXi standalone host cannot power on any virtual machines
How do I install the main repositories for RHEL6
Use the ServerName as a variable in httpd.conf file
Supermicro IPMI unable to access through shared port
DKIM and SPF for a subdomain
SSH How do I ignore IdentityFile not found errors?
How do I assign specific IP address to my OpenVPN server?