[PATCH] 'ssh -A' / 'ssh-add -c' crossref

Daniel Shahaf d.s at daniel.shahaf.name
Sat May 3 08:15:53 EST 2014


The documentation of 'ssh -A' does not mention that the risks can be somewhat
mitigated by using the '-c' option of 'ssh-add'.  In my experience, people are
unaware of the '-c' option, so I suggest to point to it from the documentation
of '-A':

Index: ssh.1
RCS file: /cvs/src/usr.bin/ssh/ssh.1,v
retrieving revision 1.345
diff -u -r1.345 ssh.1
--- ssh.1	19 Apr 2014 18:42:19 -0000	1.345
+++ ssh.1	2 May 2014 20:14:18 -0000
@@ -121,6 +121,11 @@
 An attacker cannot obtain key material from the agent,
 however they can perform operations on the keys that enable them to
 authenticate using the identities loaded into the agent.
+Using the
+.Fl c
+flag of
+.Xr ssh-add 1 
+can reduce (but not eliminate) the risk.
 .It Fl a
 Disables forwarding of the authentication agent connection.
 .It Fl b Ar bind_address

I'm not married to the specific text in the patch; I'd just like the
documentation of -A to contain a crossref to -c.



More information about the openssh-unix-dev mailing list