ssh-agent use in different security domains

Alex Bligh alex at alex.org.uk
Thu Oct 27 17:52:26 EST 2011 


--On 26 October 2011 16:52:43 -0400 Daniel Kahn Gillmor 
<dkg at fifthhorseman.net> wrote:

> On 10/26/2011 03:15 PM, Saku Ytti wrote:
>> If there is usage scenario for ForwardAgent, there is usage scenario for
>> ForwardAgent in multiple security domains.
>
> I suppose i'm arguing right now that the only legitimate usage scenario
> for ForwardAgent is when the user doesn't understand how to use
> ProxyCommand for a jumphost.

I think if anything you've understated the problems of agent forwarding.

Firstly, the problem you've already mentioned (which is solved by the 
proxycommand approach): the agent provides the data necessary to log into 
the remote host (based on the private key) at the instigation of an 
intermediate host, which might be compromised. Whilst the intermediate host 
does not get the private key, there is currently nothing in the protocol to 
prevent the intermediate host asking for such a key for bogus reasons, 
which as far as I can tell is as good as having access to the private key 
whilst the ssh session is up. Even if something was done with the host key 
of the remote host such that the private key could only be used to ssh to 
that host, nothing would stop the intermediate host using this to ssh in to 
that host and perform different commands from those the user intended. I 
think this is unfixable.

Secondly, the problem you haven't mentioned (which is also solved by the 
proxy command): a root user on the intermediate session has access to the 
cleartext of the session to the remote host.

There is a quasi-legitimate reason for ForwardAgent: where the intermediate 
host is in the same trust zone, but it is inconvenient to store the private 
keys there, or where the private keys are encrypted and there's some 
friendly UI at the local host. Though these also work with ProxyCommand, I 
am not sure you can ProxyCommand and ssh -W with (e.g.) scp. How do you do, 
for instance "scp -3" with two different ProxyCommands?

I'm also not sure you can use ProxyCommand to use more than one 
intermediate host in a row.

What I'd like to see is (and I think this is just command line processing, 
plus possibly detection of -W support on the intermediate host):

   ssh --via intermediateA1.example.com
       --via intermediateA2.example.com
       remoteA.example.com

and

   scp -3 --via intermediateA1.example.com
          --via intermediateA2.example.com
          remoteA.example.com:file
          --via intermediateB1.example.com
          --via intermediateB2.example.com
          remoteB.example.com:file

For completeness, rather than -W, I've used port forwarding of port 22 to
achieve the same thing. This can cope with as many hops as you like, but
is a bit clunky.

-- 
Alex Bligh

More information about the openssh-unix-dev mailing list