ssh-agent-proxy

module
v0.0.0-...-7fb4617 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 18, 2026 License: GPL-2.0

README

ssh-agent-proxy

SSH agents can be loaded with multiples keys. There are scenarios where you don't control the number of exposed keys and it is not an option to just start a new agent with fewer keys. This is for instance the case if you use some password managers as your SSH agent.

This may cause issues, for instance, when:

  • a SSH server sets a MaxAuthTries to a value inferior to the number of active keys in the agent;
  • when you want to expose only one key during SSH agent forwarding.

ssh-agent-proxy exposes a distinct SSH agent per key exposed by another SSH agent. When an application uses one of these exposed agents handled by the proxy, the proxy filters the queries and responses from/to the all-knowing agent to make only one specific key usable. As a bonus, when started in verbose mode, every interaction with the agent is logged on stderr, including the date, the operation nature and the requesting process name and PID when the information is available.

Per-key SSH agent sockets are created in the directory specified with the -out mandatory option.

The all-knowning SSH agent socket is designated by the standard SSH_AUTH_SOCK environment variable.

Per-key ssh agent sockets are named from the concatenation of the comment section of the public keys, an underscore, and the SHA256 fingerprint of the public key, where slashes are replaced by underscores.

Example

# Creating directory structure for this example
mkdir keys sockets
chmod 700 keys sockets

# Generating two new SSH keys
ssh-keygen -C toto -f keys/toto -N ""
ssh-keygen -C tata -f keys/tata -N ""

# Starting a new SSH agent
eval $(ssh-agent)

# Adding to that agent the previously generated keys
ssh-add keys/toto keys/tata

# Listing the keys added to the all-knowing agent
ssh-add -L

# Installing the SSH Agent proxy
go install codeberg.org/X_Cli/ssh-agent-proxy/cmd/ssh-agent-proxy@latest

# Starting the proxy
ssh-agent-proxy -out sockets &

# Listing agent sockets in the sockets directory
ls -l sockets/

# Selecting an agent socket handled by the proxy
export SSH_AUTH_SOCK="$(find sockets/ -type s -name "toto*")"

# Listing the keys handled by the filtered/proxied SSH agent
ssh-add -L

Directories

Path Synopsis
cmd
ssh-agent-proxy command
internal
filter

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.