when a user has different ssh agents running, or is using ssh-agent-filter[1], it is desirable to use one ssh agent for authenticating against the remote server, but to forward another one. ssh could have a `ForwardAgentSocket` option, which specifies a different socket, and defaults to `${SSH_AUTH_SOCK}`. whether it's feasible to evaluate variables in that option (so a user could put `Host * / ForwardAgentSocket ${SSH_AUTH_SOCK_ONLYGITKEYS}` in a git config) is up to the way the config file is handled. the option should be accepted by `-o` too. together with ssh-agent-filter, or by running separate agents for work and linux, this would solve the bug #1937 without further workarounds. [1] https://github.com/tiwe-de/ssh-agent-filter
given that forwarding generic unix sockets is possible since 6.7, this can *almost* be done by hand yet. what is missing is the possibility to determine a writable location on the remote server (as $HOME can not be expanded beforehand), and a way of setting that writable location as an environment variable.
Does IdentityAgent support this requirement along with port forwarding now?
Not as far as I can tell from the documentation. IdentityAgent still does not allow a distinction between the agent that is used for authentication and the agent that is forwarded.
Apologies, missed that distinction.
*** Bug 3106 has been marked as a duplicate of this bug. ***
This has been implemented and will be in the openssh-8.2 release: commit 40be78f503277bd91c958fa25ea9ef918a2ffd3d Author: djm@openbsd.org <djm@openbsd.org> Date: Sat Dec 21 02:19:13 2019 +0000 upstream: Allow forwarding a different agent socket to the path specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. Patch by Eric Chiang, manpage by me; ok markus@ OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265
closing resolved bugs as of 8.6p1 release