ssh-agent use in different security domains
Saku Ytti
saku at ytti.fi
Thu Oct 27 06:43:10 EST 2011
On 26 October 2011 22:29, Peter Stuge <peter at stuge.se> wrote:
>> Maybe 'ssh-add -c' is something I want (otoh it should prompt always?
>> Which would be annoying.
>
> I don't find it so annoying. It takes a few logins to get used to the
> extra prompt, but that's it. I use x11-ssh-askpass which is fast and
> shows an unobtrusive prompt.
Well I must agree with you, considering the alternative being insecure
by definition or not using ssh-agent. It doesn't seem like that big problem.
(I figured out why it didn't work for me, I'm using some gnome agent, which
likely does not support this or is just buggy)
Anyhow my coworker is quite seriously thinking writing patch, which
would display prompt for sign requests ncluding full path between
requested and localhost, (or for legacy hosts it would just prompt
that 'legacy hosts wants to sign with identity foo', no path, no host
displayed)
He said it's not exactly difficult patch to make. But how likely it would be
to get something like this integrated upstream?
Today I feel that most people simply accept the security risk, if you have
multiple ssh keys in your 'ssh-add' and you're not using -c, you are highly
likely accessing two or more security domains and are bridging the domains
together.
--
++ytti
More information about the openssh-unix-dev
mailing list