Auth forwarding socket for single auth
Darren Tucker
dtucker at zip.com.au
Tue Aug 30 10:17:37 EST 2011
On Tue, Aug 30, 2011 at 1:50 AM, Bostjan Skufca <bostjan at a2o.si> wrote:
[...]
> How about if we make the auth socket configurable in such way, that it
> can be used for just SINGLE authentication, and then it gets closed
> automatically?
A while ago I implemented an escape code (~a I think) that toggled
whether or not the client would accept forwarded agent requests, but
only as a local change.
You could possibly implement this policy as an external SSH_ASKPASS
program, however...
> Let me illustrate host sequence:
> MyHost ---> IntermediateHost ---> FinalHost
If you don't trust IntermediateHost and it has tcp port forwarding
enabled, you can also do something like this:
Host FinalHost
ProxyCommand ssh -W %h:%p IntermediateHost
ForwardAgent no
ForwardX11 no
This will create an end-to-end encrypted connection between MyHost and
FinalHost and won't require agent forwarding on IntermediateHost. (I
call this "stacked" connections, as opposed to "chained" connections
which is what you're currently doing).
It'll also prevent the possibility of the traffic being compromised on
IintermediateHost (since in your scheme it's decrypted and reencrypted
on IntermediateHost, and thus subject to monitoring and/or change).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list