key management with ssh-agent, IdentityFile and info leakage

reply_to_list openssh-unix-dev at mindrot.org
Sun Jun 20 10:00:00 EST 2004 

editors note: just now found something about IdentitiesOnly that might do the
trick. there's some other stuff in here too.

about preventing info leakage [keys for other sites] from appearing in the
client<-->server key negotiation with ssh-agent and IdentityFile.

ssh/config:IdentityFile - seems to indicate that only the specified key will
be tried, and if that key fails, no other keys will be tried. however, the
tests further below prove otherwise.

it would be great if IdentityFile would indeed try only the specified key by
doing a lookup for it in the list of the running agent and/or on disk.

preserve the existing [broken?] personality by adding something like:
 IdentityFileExclusive key - try to locate and use this single key only.
 IdentityFilePrefer (agent|disk|agentdisk|diskagent) - use this single
  location or try this multiple location search order. for when the loaded
  key differs from the disk key of the same name because some management
  app is swapping keys around and a configurable source would be handy.
 IdentityFileDefault (yes|no) - try the defkeys if available.
 IdentityFileDefaultOrder (first|last) - in this order.
 ordering - if multiple IdentityFile's exist in a section, try in the order
  listed.

the ability to [un]lock specific keys in the agent in addition to the entire
 agent might also be useful. ssh-add -l would then show which keys are locked.
 ssh-add -[X|x] [key].

note - -i, -o should take precedence always. then deal with agent/files as above.
 1. cmdline
 2. usercfg
 3. syscfg


OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090703f
 yeah, yeah...

test key generation...
 cd ~/.ssh ; rm id*
 ssh-keygen -t dsa -b 512 -N defpass -C defkey -f id_dsa
 for key in a b c ; do
  ssh-keygen -t dsa -b 512 -N ${key}pass -C ${key}key -f id_dsa_$key
 done
 ssh host 'cat > .ssh/authorized_keys' < id_dsa_c.pub

colon fields - the test state
 srvkey - key contained in authorized_keys on the server
 cfgkey - key specified in client config file for that host
 agekey - key set loaded in agent, in load order
 defkey - default key name

non colon fields - test result from this test number...
 ssh -vvv host find /tmp 2>&1 | egrep '/tmp/ssh-|id_dsa'
  ignore the tmp stuff, used for checking ForwardAgent.
 agekey - this agent key was tried
 cfgkey - this config key was tried
 defkey - this key was tried

summary... exposed might not be the right word
 first, all available agekeys are exposed
 second, the cfgkeys are exposed
 third, the defkey is exposed
 fourth, other configured non-key methods are tried [not shown]

setup...
srvkey: c
cfgkey: a
defkey: id_dsa

test 1...
agekey: none
 cfgkey a

test 2...
agekey: c
 agekey c

test 3...
agekey: b
 agekey b
 cfgkey a

test 4...
agekey: a
 agekey a
 cfgkey a

test 5...
agekey: b a
 agekey b
 agekey a
 cfgkey a

test 6...
agekey: defkey a c
 agekey defkey
 agekey a
 agekey c


srvkey: b
test 7...
agekey: c defkey a b
 agekey c
 agekey defkey
 agekey a
 agekey b

512 d3:3f:d4:1c:b2:1e:53:1e:16:92:77:80:24:db:cb:78 id_dsa_c (DSA)
512 2b:f5:bc:22:fd:2e:97:c5:6b:24:9a:5e:32:a6:51:2e id_dsa (DSA)
512 82:18:ff:64:53:49:e5:b1:d4:4f:1b:4b:88:b4:cf:1e id_dsa_a (DSA)
512 30:12:77:c5:59:09:21:62:06:e7:d7:7e:bc:8a:aa:91 id_dsa_b (DSA)

More information about the openssh-unix-dev mailing list