Summary

OpenSSH 8.9 includes the ability to control how and where keys in ssh-agent may be used, both locally and when forwarded (subject to some limitations).

Examples

From https://www.openssh.com/agent-restrict.html:

These extensions allow the user to add destination constraints to keys they add to a ssh-agent and have ssh enforce them. For example, this command:

$ ssh-add -h "perseus@cetus.example.org" \
          -h "scylla.example.org" \
          -h "scylla.example.org>medea@charybdis.example.org" \
          ~/.ssh/id_ed25519

Adds a key that can only be used for authentication in the following circumstances:

• From the origin host to cetus.example.org as user perseus.
• From the origin host to scylla.example.org as any user.
• Through scylla.example.org to host charybdis.example.org as user medea.

It would be great if the "SSH Agent" panel in an entry had the possibility to add a list of restrictions

Context

This would allow me to forward my agent to more hosts than the restricted "safe" set that I currently have, while keeping my keys in KeePassXC.