[Bug 3106] New: Please allow ssh to use one agent to authenticate, but forward agent connections to another one

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Dec 21 09:25:25 AEDT 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=3106

            Bug ID: 3106
           Summary: Please allow ssh to use one agent to authenticate, but
                    forward agent connections to another one
           Product: Portable OpenSSH
           Version: 8.1p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: korn-mindrot.org at elan.rulez.org

Background: forwarding connections to ssh-agent is risky; if a server
you ssh into is compromised (or if its administrator is malicious),
someone could abuse your forwarded agent to authenticate as you.

One mitigation is to use `ssh-add -c` when adding keys to the agent,
which causes the agent to prompt the user each time a key would need to
be used.

Problem: for people who use ssh a lot, `ssh-add -c` is very
inconvenient; it would be nice if we could be prompted only when a
*remote* client tries to use our key, not for local clients.
Unfortunately, ssh-agent can't differentiate between local and remote
clients.

Proposal: have the user run two agents; one for local clients, one for
remote ones. Keys would be added to the 2nd agent with `ssh-add -c`,
but without `-c` to the 1st one. ssh clients started locally would use
the local agent to authenticate; however, they would forward agent
connections from remote servers to the 2nd agent.

The ForwardAgent ssh_config directive could be extended to support
specifying a path to a socket in addition to the "yes" and "no"
keywords, in the same way IdentityAgent does. IdentityAgent would point
to the local agent socket (which doesn't prompt for key usage), and
ForwardAgent would point to the other agent socket (which would require
user confirmation when a remote client wishes to use a private key).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list