Limit automatic loading of keys to specific hosts the database is opened on

[hifi]

We had a feature request (keepassxreboot/keepassxc#1721) for KeePassXC where a user wants to limit automatic adding of keys to specific systems rather than loading all keys that have the automatic setting enabled.

This would likely require changes to KeeAgent.settings so it would be the best if such feature would be implemented it would be coordinated with KeeAgent.

What do you guys think?

EDIT: Just to clarify, this is about the local system the database is opened on, sorry for the possible confusion.

[dlech]

It sounds like a rather complex feature that won't be used by most people.

[hifi]

It could possibly help with issue #139 if some of the keys are only needed on specific systems.

[BWibo]

I would love to see this feature!

I use SSH with several different hosts as I have to access several different servers on a regular basis. As MaxAuthTries is usually configured to a conservative number on the host side (<< than the number of SSH keys I have on my agent) I fail to connect because of "Too many auth failures".
As a workaround, I currently copy all public keys to my ~/.ssh folder and add s.th. similar to this for every host in ~/.ssh/config:

Host my.example.host.de
  IdentityFile /c/users/theuser/.ssh/my.example.host.de.pub
  IdentitiesOnly yes

This requries some handwork for every new host or everytime SSH keys change.
Moreover, this solution is unhandy to transport accross client systems. You may have to redo the configuration for all clients you are using (DesktopPC at home/work, Laptop, ...).

Maybe an easy solution would be to make KeeAgent create a ~/.ssh/config file with entries for all hosts and exporting public keys.

Having this implemented within KeeAgent would be a great improvement for me!
I assume, I am not the only one having this kind of SSH usage scenario?
Thx in advance!! :-)

[hifi]

I think you misunderstood the feature, we can't automatically load keys to agent per remote host as that's not possible with the SSH Agent. This feature request was to select which keys are automatically loaded to agent based on the local host.

For your scenario somehow managing remote host mapping and exporting a ~/.ssh/config is probably the way to go. OpenSSH client supports Include directives so it could be a common location on non-Windows machines to automatically export and update such mapping. On Windows it wouldn't work I suppose.

What KeeAgent and compatible implementations could do is manage the list in KeeAgent.settings that such export file could be spun from but there's information leakage from the database that way (public keys and hosts that they "work" with) so that needs to be considered.

[BWibo]

Your right, I had a missunderstanding here. That's what happens when you stop reading anything of the content but the headline. -_-
I'll move this to another feature request, as this might acually bother more people.

[hifi]

Closed in favor of #296.