Destination constraints

[noonien]

When connecting to a ssh server, by default, all available public keys are sent for it to choose one for authentication. This is a problem because any server you connect to now has a list of all your public keys. While this is not really a security issue for authentication, it allows servers to identify you if they have, for example, your github ssh key, or check other servers if they accept your public key (see, for example, https://github.com/benjojo/ssh-key-confirmer).

OpenSSH 8.9 implemented detstination constraints, this allows ssh-agent to forwards public keys based on the destination server. The destination constraints can be added via the -h flag to ssh-add.

It would be cool for skm to either support adding destination constraints for keys, or to add keys with destination constraints to .ssh/config

[TimothyYe]

Hi @noonien, thanks for the suggestion.

If this feature is only implemented by OpenSSH starting from version 8.9, I think there is a more flexible way to enable the destination constraints via the Hook Mechanism:

https://github.com/TimothyYe/skm#hook-mechanism

You may put the ssh-add command in the hook script to limit the public keys used to connect to the hosts. When the SSH key is in use, the corresponding hook script will be executed simultaneously.