ssh-add: local private keys added to forwarded agents

Markus Friedl markus at openbsd.org
Wed Jun 5 20:20:56 EST 2002 

i'm not sure what you want, but the ssh-add manpage is missing
a reference to 
     SSH_AUTH_SOCK
             Identifies the path of a unix-domain socket used to communicate
             with the agent.

-m

On Wed, Jun 05, 2002 at 11:07:38AM +0100, Dave Ryan wrote:
> Hi,
> 
> This may or may not cause concern for some people (considering a lot of 
> people store all of their keys on a single client system).
> 
> Snippet from draft-ietf-secsh-agent-00.txt:
> 
> 2. Security Considerations
> 
>    This protocol is designed only to run as a channel of the SSH
>    protocol.
> 
>    The goal of this extension is to ensure that the users private keys
>    never leave the machine they are physically at.  Ideally the private
>    keys should be stored on a password protected removable media such as
>    a smartcard.
> 
> I noticed that ssh-add will add a private key to a forwarded agent, if
> there are no local agents started by that user - this breaks the draft
> specification as private keys on a local host are added to an agent 
> running on a remote host. 
> 
> For example,
> 
> USERA starts ssh-agent on HOSTA. USERA then ssh's to HOSTB, USERA then
> runs ssh-add on HOSTB, the private keys from HOSTB are then added to the
> ssh-agent on HOSTA.
> 
> If USERA had started ssh-agent on HOSTB and then ran ssh-add, the keys 
> would have remained on local to the system. 
> 
> I also noticed that if there are no local agents running a remote agent
> socket will show up in /tmp/ssh-XXXXXXXX/ as agent.$PID= whereas if a 
> local agent IS running the "=" is dropped.
> 
> I'm not sure if it is appropriate to apply mechanisms to ssh-add to 
> prevent it adding local keys to a forwarded agent or if a quick 
> addition to the man pages will suffice.
>  
> If this has been discussed before I apologise, couldn't find any 
> references to anything similar.
> 
> Cheers,
> Dave.
> 
> -- 
> ugc Security Research
> http://www.ugc.org.uk/~dave
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list