If you have an encrypted ssh key for each domain you access (you should), and you keep your unlocked keys in a single ssh-agent (you maybe shouldn't), AND you've ever decided you need to forward your ssh-agent, then you should feel bad.
If you forward an ssh-agent with all your unique keys for every domain to a ssh server that is compromised - all those unique keys for all those unique domains you access? Kablooie! Done. Have fun rotating them all.
sshecret is a tool that creates an ssh-agent for each identity file found
in your ssh_config(5) and executes ssh commands for a particular host using
an environment that has access to only the key for that one host.
If a server to which you've forwarded your ssh-agent is compromised, then only the key used for that domain will be affected.
sshecret is a wrapper around ssh that automatically manages multiple
ssh-agent(1) sockets each containing only a single unlocked ssh key.
sshecret accepts the same parameters as ssh(1) - fundamentally
sshecret uses execve(2) to wrap ssh, modifying the environment to
ensure that each key in your ssh_config(5) uses its own ssh-agent.
Install via pip:
pip install --user sshecret
Install manually / via APT:
apt-get install python3-paramiko
git clone https://github.com/thcipriani/sshecret/
cp sshecret.py /usr/local/bin/sshecret
To use sshecret with git, point GIT_SSH to use sshecret by adding
this to your shell initialization file (~/.bashrc or the like):
if command -v sshecret > /dev/null 2>&1; then
export GIT_SSH=sshecret
fi
To use sshecret with scp add this alias to your shell initialization file:
if command -v sshecret > /dev/null 2>&1; then
alias scp='scp -S sshecret'
fi
sshecret obviously won't help you if you're using the same ssh key for
multiple domains. You are clearly beyond help.
sshecret depends on a correct ssh_config(5) for your user (found at
~/.ssh/config or wherever $SSH_CONF is pointing), so it'll get weird if
that file is weird or nonexistent. Sorry, I guess.
Requirements:
Usage:
usage: sshecret [whatever you want to pass to ssh]
sshecret is a wrapper around ssh that automatically manages multiple
ssh-agent(1)s each containing only a single ssh key.
EXAMPLE: sshecret -A -L8080:localhost:80 -l johndoe -p2222 example.com
sshecret accepts the same parameters as ssh(1) - fundamentally sshecret uses
execve(2) to wrap ssh, modifying the environment to ensure that each key in
your ssh_config(5) uses its own ssh- agent.
optional arguments:
-h, --help show this help message and exit
-v Increase verbosity of output