ssh-agent use in different security domains

Saku Ytti saku at ytti.fi
Thu Oct 27 05:56:47 EST 2011


On 26 October 2011 21:42, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:

>> Quite. I desire to connect from domain1-server1 to domain1-server2
>> and from domain2-server1 to domain2-server2, so forwarding is needed.
>
> To be clear: agent forwarding is *not* needed in this scenario, and in
> fact it is discouraged.

> But this connection is good:
>
>  ssh -oProxyCommand='ssh -W %h:%p monkey.example' banana.example

Lets assume banana lives in domain2.

Help me understand. How does this help? If you login to banana with
ssh-agent, cant banana hijack my session and use /any/ key I have in
ssh-agent to ssh in domain1 servers?

I.e. my understanding is regardless how the transport in transit is, the
ultimate machine must be trusted to /all/ keys my ssh-agent has
And my desire is, to only trust ultimate transit with single key in my
ssh-agent, so ultimate destinations can belong to multiple security
domains.

Optimally I'd like to see

'sign request for identity domain1-key from localhost < domain1 < domain2'

Now I'd know that domain2 (or banana) has hijacked my session and is
trying to jump to domain1 servers. Which I'd then forbid ssh-agent from doing.
But this of course is not possible, as ssh-agent has no idea who wants it to
sign.

-- 
  ++ytti


More information about the openssh-unix-dev mailing list