Open nicolaevladescu opened 5 years ago
Just modify your .ssh/config to forward or not forward your key to the agent
Hi @FernandoMiguel, i don't follow your suggestion, can you elaborate?
take for example my ssh config file
Host github.com
User git
PreferredAuthentications publickey
IdentityAgent ~/.kr/krd-agent.sock
ProxyCommand /usr/local/bin/krssh %h %p
IdentityFile ~/.ssh/id_krypton
Host *.REDACTED
User root
StrictHostKeyChecking no
PreferredAuthentications publickey
IdentityAgent ~/.kr/krd-agent.sock
ProxyCommand /usr/local/bin/krssh %h %p
IdentityFile ~/.ssh/fm_ed25519
IdentityFile ~/.ssh/id_krypton
# Added by Krypton
Host *
IdentityAgent ~/.kr/krd-agent.sock
ProxyCommand /usr/local/bin/krssh %h %p
IdentityFile ~/.ssh/id_krypton
each config there has its own key. it can also forward the key to the remote agent. just add a block for your bastion host
Hi.
What i want to achieve is use krypton key for ssh -A user@bastion.host
and have a ssh-agent
running to which i ssh-add
one or more specific keys, but not the krypton key. I don't have a problem with adding keys to ssh-agent
, i have a problem with excluding the krypton key which adds itself to the ssh-agent
without me adding it manually using ssh-add
.
then exclude the * block. it's the one sending your key
Excerpt from the ssh-agent
manual
The agent initially does not have any private keys. Keys are added using ssh-add(1). When executed without arguments, ssh-add(1) adds the files ~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity. If the identity has a passphrase, ssh-add(1) asks for the passphrase (using a small X11 application if running under X11, or from the terminal if running without X). It then sends the identity to the agent. Several identities can be stored in the agent; the agent can automatically use any of these identities. ssh-add -l displays the identities currently held by the agent.
I am adding a specific key giving it its full path using ssh-add
, which program or command from the following block does this adding part automatically?
# Added by Krypton
Host *
IdentityAgent ~/.kr/krd-agent.sock
ProxyCommand /usr/local/bin/krssh %h %p
IdentityFile ~/.ssh/id_krypton
I understand what you are suggesting but i don't see the logic or docs behind your suggestions unless you have some insight on krssh
. If you do please explain.
Replacing krypton ssh key with local key.
Scenario:
Login to edge1.host
via bastion.host
using ssh-agent
id_rsa
private key with pub key on bastion.host
id_ed25519
private key with pub key on edge1.host
I have tested with just this stanza in cat ~/.ssh/config
:
Host *
IdentityFile ~/.ssh/id_rsa
Then i do the following on my machine:
$ eval $(ssh-agent)
Agent pid 76029
$ printenv | grep -i ssh_
SSH_AGENT_PID=76029
SSH_AUTH_SOCK=/var/folders/<redacted>/agent.76028
$ ssh-add -L
The agent has no identities.
$ ssh-add ~/.ssh/id_ed25519
$ ssh-add -L
ssh-ed25519 <redacted> user@MacBook-Pro.local
$ ssh -A user@bastion.host
Commands ran on bastion.host
:
$ ssh-add -L
ssh-ed25519 <redacted> user@MacBook-Pro.local
ssh user@edge1.host
There are no other keys in ssh-agent
except the one i added manually even thought my ~/.ssh/config
is similar with what kr
is setting up. Also i successfully login on edge1.host
using id_ed25519
from ssh-agent
but using id_rsa
to login to bastion.host
.
So there must be something kr
os krssh
is doing that add it's key to the ssh-agent
.
Ok so i retested everything using kr
and now it seams that ONLY the krypton key gets added to ssh-agent
when i do ssh-add -L
on bastion.host
.
Hello.
My use case: A bastion vm as a personal host just so that i can have a static ip (my home isp does not provide one) which is whitelisted to access the edge hosts that belong to my client and use different private keys, i don't want my private krypton key to end up on the edge machines in any way, just use it to get to the bastion, and add only the edge client keys to ssh-agent.
Right know it looks like it gets added automatically to my spawned
ssh-agent
.Can i disable the default forwarding of the krypton key?