Bug 2216

Summary: allow forwarding a different socket than SSH_AUTH_SOCK
Product: Portable OpenSSH Reporter: chrysn
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: daniel, djm, jasper, korn-mindrot.org
Priority: P5    
Version: 6.5p1   
Hardware: All   
OS: All   
See Also: https://bugzilla.mindrot.org/show_bug.cgi?id=1937
Bug Depends on:    
Bug Blocks: 3079    

Description chrysn 2014-03-25 02:30:56 AEDT 
when a user has different ssh agents running, or is using ssh-agent-filter[1], it is desirable to use one ssh agent for authenticating against the remote server, but to forward another one.

ssh could have a `ForwardAgentSocket` option, which specifies a different socket, and defaults to `${SSH_AUTH_SOCK}`. whether it's feasible to evaluate variables in that option (so a user could put `Host * / ForwardAgentSocket ${SSH_AUTH_SOCK_ONLYGITKEYS}` in a git config) is up to the way the config file is handled. the option should be accepted by `-o` too.

together with ssh-agent-filter, or by running separate agents for work and linux, this would solve the bug #1937 without further workarounds.

[1] https://github.com/tiwe-de/ssh-agent-filter
Comment 1 chrysn 2015-08-21 00:05:25 AEST 
given that forwarding generic unix sockets is possible since 6.7, this can *almost* be done by hand yet. what is missing is the possibility to determine a writable location on the remote server (as $HOME can not be expanded beforehand), and a way of setting that writable location as an environment variable.
Comment 2 Daniel Black 2017-11-08 13:31:53 AEDT 
Does IdentityAgent support this requirement along with port forwarding now?
Comment 3 chrysn 2017-11-08 20:59:25 AEDT 
Not as far as I can tell from the documentation. IdentityAgent still does not allow a distinction between the agent that is used for authentication and the agent that is forwarded.
Comment 4 Daniel Black 2017-11-09 09:46:22 AEDT 
Apologies, missed that distinction.
Comment 5 AndrĂ¡s Korn 2019-12-21 09:36:03 AEDT 
*** Bug 3106 has been marked as a duplicate of this bug. ***
Comment 6 Damien Miller 2019-12-21 13:45:09 AEDT 
This has been implemented and will be in the openssh-8.2 release:


commit 40be78f503277bd91c958fa25ea9ef918a2ffd3d
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Sat Dec 21 02:19:13 2019 +0000

    upstream: Allow forwarding a different agent socket to the path
    
    specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
    accepting an explicit path or the name of an environment variable in addition
    to yes/no.
    
    Patch by Eric Chiang, manpage by me; ok markus@
    
    OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265
Comment 7 Damien Miller 2021-04-23 14:57:37 AEST 
closing resolved bugs as of 8.6p1 release