Simon Josefsson simon@josefsson.org writes:
Agent forwarding isn't that important to me, though. Basic agent support is what is preventing me from using lsh at all, since my private keys are stored on a smartcard.
Point taken. Basic agent support is more important.
Oh. I'm not sure if that works though. You can defer the passphrase prompt until lsh wants to use the private keys, but if I recall correctly, with SSH you don't know which private key to use anyway, so you have to decrypt them all and try them in order.
You're not recalling all the details ;-)
The ssh userauth protocol allows you to send a publickey, *without* any signature, and the server will tell you if the key + signature would be accepted. The way lsh uses that, it sends such requests for all known keys (and one can send the requests back-to-back, without having to wait a network roundtrip per key), and then it creates and sends a signature for the first key which the server says it will accept.
It's just a question of getting the public key first, without decrypting the corresponding private key upfront.
Regards, /Niels