ssh-agent use in different security domains
alex at alex.org.uk
Thu Oct 27 17:52:26 EST 2011
--On 26 October 2011 16:52:43 -0400 Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> On 10/26/2011 03:15 PM, Saku Ytti wrote:
>> If there is usage scenario for ForwardAgent, there is usage scenario for
>> ForwardAgent in multiple security domains.
> I suppose i'm arguing right now that the only legitimate usage scenario
> for ForwardAgent is when the user doesn't understand how to use
> ProxyCommand for a jumphost.
I think if anything you've understated the problems of agent forwarding.
Firstly, the problem you've already mentioned (which is solved by the
proxycommand approach): the agent provides the data necessary to log into
the remote host (based on the private key) at the instigation of an
intermediate host, which might be compromised. Whilst the intermediate host
does not get the private key, there is currently nothing in the protocol to
prevent the intermediate host asking for such a key for bogus reasons,
which as far as I can tell is as good as having access to the private key
whilst the ssh session is up. Even if something was done with the host key
of the remote host such that the private key could only be used to ssh to
that host, nothing would stop the intermediate host using this to ssh in to
that host and perform different commands from those the user intended. I
think this is unfixable.
Secondly, the problem you haven't mentioned (which is also solved by the
proxy command): a root user on the intermediate session has access to the
cleartext of the session to the remote host.
There is a quasi-legitimate reason for ForwardAgent: where the intermediate
host is in the same trust zone, but it is inconvenient to store the private
keys there, or where the private keys are encrypted and there's some
friendly UI at the local host. Though these also work with ProxyCommand, I
am not sure you can ProxyCommand and ssh -W with (e.g.) scp. How do you do,
for instance "scp -3" with two different ProxyCommands?
I'm also not sure you can use ProxyCommand to use more than one
intermediate host in a row.
What I'd like to see is (and I think this is just command line processing,
plus possibly detection of -W support on the intermediate host):
ssh --via intermediateA1.example.com
scp -3 --via intermediateA1.example.com
For completeness, rather than -W, I've used port forwarding of port 22 to
achieve the same thing. This can cope with as many hops as you like, but
is a bit clunky.
More information about the openssh-unix-dev