https://bugzilla.mindrot.org/show_bug.cgi?id=2480
--- Comment #4 from Fabiano FidĂȘncio <[email protected]> --- As asked by Damien, let me summarize why I do need this change on this bug report. Here is the rationale: As usually I am doing a considerable amount of development on Virtual Machines and usually I don't have their IP address to do an actual ssh agent forward, I started working in a way to do an "agent forward" over a spice channel and I am writing "agent forward" in quotation marks for a reason. There are operations that I really don't feel like forwarding to the client's agent (remote), like SSH_AGENTC_{ADD,REMOVE}_*_IDENTITY. IMO, adding/removing a key, should still be something that goes through the local agent inside the Virtual Machine. All the other operations, IMO, should have their result merged. For instance, SSH_AGENTC_REQUEST_RSA_IDENTITIES should return the identities from both the local and client's agent (remote), otherwise we would be bulldozing the local agent inside the Virtual Machine. So, that's the big view of my idea and that's the first reason that I have to have two agents running: the local agent and a "dispatcher" that talks to the client's agent (remote). The second reason (and the stronger one) is that when doing an agent-forward I should not mess with the agent running inside the Virtual Machine, I really should not break any kind of Desktop Environment integration and here the whole set of problems started. In my first implementation I tried to do: 1) Get the SSH_AUTH_SOCK var 2) Move the (local) socket created there to somewhere else 3) Create the client's socket (remote) in the same path as SSH_AUTH_SOCK 4) When disconnecting, move back the local agent socket to the same path as SSH_AUTH_SOCK That's a *really* *ugly* implementation, but it could have worked. The main problem is that GNOME is using Gnome Keyring's ssh-agent and it has an option that does replace the socket on SSH_AUTH_SOCK. If, somehow, for some reason, the user does that ... bye bye remote agent and my functionality is broken. So, I really know that my patch may be intrusive, but it is the last option that I have for having an agent-forward through a spice channel, completely Desktop Environment's agnostic. Any kind of suggestion on how to solve this situation without the need of multiple agents is more than appreciated. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
