If you have an encrypted ssh key for each domain you access (you should), and you keep your unlocked keys in a single ssh-agent (you maybe shouldn't), AND you've ever decided you need to forward your ssh-agent, then you should feel bad.
If you forward an ssh-agent with all your unique keys for every domain to a ssh server that is compromised - all those unique keys for all those unique domains you access? Kablooie! Done. Have fun rotating them all.
sshecret is a tool that creates an ssh-agent for each identity file found in your
ssh_config(5) and executes ssh commands for a particular host using an environment that has access to only the key for that one host.
If a server to which you've forwarded your ssh-agent is compromised, then only the key used for that domain will be affected.
sshecret is a wrapper around ssh that automatically manages multiple
ssh-agent(1) sockets each containing only a single unlocked ssh key.
sshecret accepts the same parameters as
ssh(1) - fundamentally
execve(2) to wrap ssh, modifying the environment to ensure that each key in your
ssh_config(5) uses its own ssh-agent.
Install via pip:
pip install --user sshecret
Wherever ssh is accepted
sshecret with git, point
GIT_SSH to use
sshecret by adding this to your shell initialization file (
~/.bashrc or the like):
if command -v sshecret > /dev/null 2>&1; then export GIT_SSH=sshecret fi
sshecret with scp add this alias to your shell initialization file:
if command -v sshecret > /dev/null 2>&1; then alias scp='scp -S sshecret' fi
sshecret obviously won't help you if you're using the same ssh key for multiple domains. You are clearly beyond help.
sshecret depends on a correct
ssh_config(5) for your user (found at
~/.ssh/config or wherever
$SSH_CONF is pointing), so it'll get weird if that file is weird or nonexistent. Sorry, I guess.
usage: sshecret [whatever you want to pass to ssh] sshecret is a wrapper around ssh that automatically manages multiple ssh-agent(1)s each containing only a single ssh key. EXAMPLE: sshecret -A -L8080:localhost:80 -l johndoe -p2222 example.com sshecret accepts the same parameters as ssh(1) - fundamentally sshecret uses execve(2) to wrap ssh, modifying the environment to ensure that each key in your ssh_config(5) uses its own ssh- agent. optional arguments: -h, --help show this help message and exit -v Increase verbosity of output