[aidos]

I never quite understand why there’s not a confirm version. ForwardWithConfirmation or something. I’m active when I need forwarding - would be happy to simply be prompted before it’s allowed.

[DblPlusUngood]

OpenSSH does have confirmation: use the '-c' switch to ssh-add.

https://man.openbsd.org/ssh-add

[aquabeagle]

Or "AddKeysToAgent confirm" in ~/.ssh/config

[aidos]

Waaaaaaat?! That could definitely be better known.

[Arathorn]

TIL :|

[acct1771]

Hang in, there.

[felipelemos]

This could be a sane default.

[e12e]

Hm, anything similar for gpg agent (both for gpg, and as a stand-in for ssh-agent)?

Ed: looks like I need to edit my sshcontrol-file

https://www.gnupg.org/documentation/manuals/gnupg/Agent-Conf...

[Leace]

If you use Yubikey with touch-to-use enabled that'll be basically what you're asking - each authentication will require touching the token.

[haasted]

I just enabled that after seeing this incident.

For people in the same boat, it can be done trivially using the YubiKey Manager CLI: https://developers.yubico.com/yubikey-manager/

[rwmj]

Some ssh agent implementations do this, notably the one built into Android ConnectBot can be configured to request confirmation each time it is asked to authenticate. Unfortunately ssh-agent (from OpenSSH) does not as far as I know. It's happy to authenticate as many times as requested without any notification.

[DBFFD990]

It can, and it's determined per key when added to the agent.

Look for -c here: https://man.openbsd.org/ssh-add

[rwmj]

Indeed it is - I even checked the man page before posting the comment and completely missed that option.