logoalt Hacker News

pianopatrickyesterday at 10:47 PM1 replyview on HN

Seems to me a tool like that would stop the agent from sending those specific keys elsewhere. But a tool like that would not stop the agent who is acting as you from using the SSH keys via the CLI. You would want to combine that with other tactics like having the agent run as some other user.


Replies

samhclarkyesterday at 11:05 PM

Secretive (and the similar built-in functionality [1]) both allow you to require TouchID too. I found an okay balance using two SSH keys: one for commit signing (w/o TouchID) and one for everything else (requires TouchID, or PIN on Linux)

So, the actions that I really don't want the agent to take (establishing an SSH connection, pushing to a git remote) always require my manual intervention.

[1] https://gist.github.com/arianvp/5f59f1783e3eaf1a2d4cd8e952bb...