new option ssh-add -v to verify if key is loaded into the agent

David Schweikert dws at open.ch
Tue Apr 12 16:38:07 EST 2011


Hi,

On Fri, Apr 08, 2011 at 14:02:08 -0400, Eitan Adler wrote:
> > My problem is that the agent is not under my control. So I could just
> > believe what he is telling me (output of ssh-add -L). But I would like
> > to verify that he is not lying. So this patch verifies cryptographically
> > with challenge/response that the agent has really loaded the private
> > key, identical to the public key authentication via ssh-agent.
> 
> Giving an agent outside of your control access to your private key is
> not a smart thing to do.

I think that you, and the other people that replied to the original post
until now, don't understand what we are trying to achieve with this.

Whenever you connect to a SSH server using public key authentication,
the server verifies your identity with a challenge meant to prove that
you have access to the private key. This works with an ssh-agent by
passing that challenge over to the agent and getting the answer from the
agent back to the server. Note the fact that this is done such that, you
can't fetch the full private key from the agent.

The new "ssh-add -v" option does the same thing, but without the server.
It can challenge the ssh-agent to verify that the agent really has
access to a private key. It does so without merely believing what the
agent says, but by using the same challenge method as the server does
for authentication.

This can be used, for example, to implement two factor authentication
without major code rewrite in openssh: you can instruct the SSH server
to do password authentication, and then you can additionally also check
the SSH key (provided that agent forwarding is set) via "ssh-add -v"
(using ForceCommand). That's probably a rather fancy use case, but it is
very important to us.

Anyway: this code adds proper, cryptographical verification that an
agent has a certain private key loaded. We think that this function
could be useful to others as well.

Cheers
David


More information about the openssh-unix-dev mailing list