[Bug 3106] New: Please allow ssh to use one agent to authenticate, but forward agent connections to another one
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Dec 21 09:25:25 AEDT 2019
https://bugzilla.mindrot.org/show_bug.cgi?id=3106
Bug ID: 3106
Summary: Please allow ssh to use one agent to authenticate, but
forward agent connections to another one
Product: Portable OpenSSH
Version: 8.1p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: korn-mindrot.org at elan.rulez.org
Background: forwarding connections to ssh-agent is risky; if a server
you ssh into is compromised (or if its administrator is malicious),
someone could abuse your forwarded agent to authenticate as you.
One mitigation is to use `ssh-add -c` when adding keys to the agent,
which causes the agent to prompt the user each time a key would need to
be used.
Problem: for people who use ssh a lot, `ssh-add -c` is very
inconvenient; it would be nice if we could be prompted only when a
*remote* client tries to use our key, not for local clients.
Unfortunately, ssh-agent can't differentiate between local and remote
clients.
Proposal: have the user run two agents; one for local clients, one for
remote ones. Keys would be added to the 2nd agent with `ssh-add -c`,
but without `-c` to the 1st one. ssh clients started locally would use
the local agent to authenticate; however, they would forward agent
connections from remote servers to the 2nd agent.
The ForwardAgent ssh_config directive could be extended to support
specifying a path to a socket in addition to the "yes" and "no"
keywords, in the same way IdentityAgent does. IdentityAgent would point
to the local agent socket (which doesn't prompt for key usage), and
ForwardAgent would point to the other agent socket (which would require
user confirmation when a remote client wishes to use a private key).
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list