|Main Archive Page > Month Archives > openssh-unix-dev archives|
On May 19, 2011, at 15:25 , Matthew Miller wrote:
> Peter Stuge wrote:
>>> Right now, ssh-agent makes a check using getpeereid(), and declines
>>> access if it fails. This is very sensible in general, but breaks this
>>> particular case. Might a patch to allow an option to ssh-agent to relax
>>> the check be accepted?
>> I doubt it. I would suggest that you implement an ssh-agent proxy to sit
>> in front of the actual agent, running as keyholder, where you implement
> That's an interesting idea. However, for this case, that introduces
> complication without particular benefit, as we're not wanting to implement
> any particular policy but rather have ssh-agent _refrain_ from enforcing a
> hard-coded one. Without the check, simple policy can be implemented at the
> filesystem level (or through various security modules).
Why not simply give each user their own private key and add/remove it from the authorized_keys at the appropriate times?
openssh-unix-dev mailing list