ssh-agent use in different security domains
peter at stuge.se
Thu Oct 27 07:49:00 EST 2011
Saku Ytti wrote:
> > Only your ssh program instance can talk with your ssh-agent, because it
> > is running locally. Without agent forwarding, programs on the other host
> > can't connect to your agent, much less use your keys.
> Quite, but question here is, when you need to have ssh-agent in two
> different security domains. How do to do it.
You're basically not supposed to.
Instead, you let each hop in every domain talk with your agent
directly, without using forwarding.
> Right now my solution seems to be that the higher security domain
> (domain1) I'll add with ssh-add -c and the less secure I can add
> normally (I don't care if domain1 evil admin hijacks and jumps to
> domain2 as me).
The logic seems inverted. Add the less secure domain with -c.
> To decrease annoyance of constant prompt, I'll use ControlMaster
> for domain1.
It's not so annoying, really. But ControlMaster is a good idea in any
case! It makes everything faster too!
> Optiomal solution will inform ssh-agent who exactly is requesting
> the signing, so user can decide if it's expected/allowed or not.
Regardless of C skill you've studied the SSH and agent protocols by
now, so you know that this is not so simple.
More information about the openssh-unix-dev