RFE: allow a key to be marked 'allow only one use'

[siebenmann]

I not infrequently would like to authenticate to a host with one ssh-agent key but only forward access to another, less privileged key to the remote host. Because ssh uses the same agent connection for both direct authentication and agent forwarding, there is no straightforward way to do this today even with ssh-agent-filter. An awkward way of making this work would be to mark the authentication key as only being allowed to use only once, implicitly for the initial ssh authentication; afterwards it would be unavailable for use, so the remote host would not have access to it.

This feature would unfortunately be susceptible to problems; for instance, if the authentication key is not actually used in the initial connection, it would remain available through the forwarded agent. This may make it something that you don't want to see implemented in ssh-agent-filter, which is fair enough. If this does seem like a feature that you're willing to accept (possibly with elaboration, for example so that such keys are made unavailable within a few seconds even if they're not used), I'd be happy to take a try at implementing it.

(It's also possible that my need for this feature actually means that I'm setting up my keys in a lazy way and I should be authenticating with more narrowly privileged keys.)

[tiwe-de]

You can use a -confirmed option for the "allow once key" and just accept the first attempt or provide a script as $SSH_ASKPASS to handle it. You might even extend afssh to create that script.