Stories
Slash Boxes
Comments

SoylentNews is people

Somewhat Safer SSH Agent Forwarding

posted by Fnord666 on Monday April 06 2020, @06:46PM   Printer-friendly
from the on-behalf-of dept.

canopic jug writes:

SSH key forwarding is to be avoided when possible. When it is not possibile to avoid, it is a good idea to limit what gets forwarded. Software developer Vincent Bernat describes one way by putting a simple shell script wrapper around the SSH client to provide a session with a unique, ephemeral key agent.

ssh-agent is a program to hold in memory the private keys used by SSH for public-key authentication. When the agent is running, ssh forwards to it the signature requests from the server. The agent performs the private key operations and returns the results to ssh. It is useful if you keep your private keys encrypted on disk and you don't want to type the password at each connection. Keeping the agent secure is critical: someone able to communicate with the agent can authenticate on your behalf on remote servers.

ssh also provides the ability to forward the agent to a remote server. From this remote server, you can authenticate to another server using your local agent, without copying your private key on the intermediate server. As stated in the manual page, this is dangerous!

Perhaps another approach would be to embed the wrapper in the ProxyCommand configuration directive, thus obviating the need for either a shell alias or shell function.

How and why have soylentils had to deal with SSH agent forwarding?

Previously:
(2019) How SSH Key Shielding Works
(2019) SSH Gets Protection Against Side Channel Attacks
(2018) Default OpenSSH-Portable RSA Private Key Encryption is Poor
(2017) SSH vs OpenVPN for Tunneling
(2016) Upgrade Your SSH Keys
(2015) Why Aren't We Using SSH for Everything?

Original Submission

 
This discussion has been archived. No new comments can be posted.
Somewhat Safer SSH Agent Forwarding | Log In/Create an Account | Top | 10 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Funny) by Anonymous Coward on Monday April 06 2020, @08:00PM (2 children)

    by Anonymous Coward on Monday April 06 2020, @08:00PM (#979752)

    >> How and why have soylentils had to deal with SSH agent forwarding?

    I print out the ssh private key and send it by interoffice mail to the office where the server is located, and then ask Kumir to enter it into the server for me. I do the same for him, so it all works out in the end.

    Starting Score:    0  points
    Moderation   +3  
       Funny=3, Total=3
    Extra 'Funny' Modifier   0  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Monday April 06 2020, @10:50PM

    by Anonymous Coward on Monday April 06 2020, @10:50PM (#979800)

    Kumir kopies it to Karachistan. Oh dear, oh me, oh my - however did they hack our systems?

  • (Score: 2) by MostCynical on Tuesday April 07 2020, @12:19AM

    by MostCynical (2589) on Tuesday April 07 2020, @12:19AM (#979820) Journal

    bonus points for using a privacy envelope and spelling Kumir's name correctly.

    --
    "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex