ssh-add: local private keys added to forwarded agents

[Dave Ryan]

Hi,

This may or may not cause concern for some people (considering a lot of 
people store all of their keys on a single client system).

Snippet from draft-ietf-secsh-agent-00.txt:

2. Security Considerations

   This protocol is designed only to run as a channel of the SSH
   protocol.

   The goal of this extension is to ensure that the users private keys
   never leave the machine they are physically at.  Ideally the private
   keys should be stored on a password protected removable media such as
   a smartcard.

I noticed that ssh-add will add a private key to a forwarded agent, if
there are no local agents started by that user - this breaks the draft
specification as private keys on a local host are added to an agent 
running on a remote host. 

For example,

USERA starts ssh-agent on HOSTA. USERA then ssh's to HOSTB, USERA then
runs ssh-add on HOSTB, the private keys from HOSTB are then added to the
ssh-agent on HOSTA.

If USERA had started ssh-agent on HOSTB and then ran ssh-add, the keys 
would have remained on local to the system. 

I also noticed that if there are no local agents running a remote agent
socket will show up in /tmp/ssh-XXXXXXXX/ as agent.$PID= whereas if a 
local agent IS running the "=" is dropped.

I'm not sure if it is appropriate to apply mechanisms to ssh-add to 
prevent it adding local keys to a forwarded agent or if a quick 
addition to the man pages will suffice.
 
If this has been discussed before I apologise, couldn't find any 
references to anything similar.

Cheers,
Dave.

-- 
ugc Security Research
http://www.ugc.org.uk/~dave