Filtering which identities are forwarded by ssh-agent to a given host
Ángel González
keisial at gmail.com
Mon Feb 2 10:48:30 AEDT 2015
On 02/02/15 00:18, Damien Miller wrote:
> On Sun, 1 Feb 2015, Bill Nugent wrote:
>> Host network-a-gateway.example.com
>> ForwardIdentity .ssh/network-a-2014-10-12
>> and allow additional ForwardIndenty to allow additional keys.
> It's not possible to do this unfortunately, but is a feature that I've
> wanted for a long time. Implementing it required teaching ssh enough
> of the agent protocol to filter requests sent through it, and doing
> it exactly right so that users' agents aren't exposed when they connect
> to a malicious server - so it's not without risk.
IMHO the way to go is not teach ssh the agent protocol, but modify the
agent
protocol so that each request gets prepended the hostname requesting it
(forwarded connections would contain the full chain)
Then the agent itself would decide which keys to expose to such host.
"foo is available for any host", "Provide network-a-key only to
ssh.network-a.com and anything that passed through ssh.network-a.com."
"Key bar is shown to all hosts but a confirmation dialog will be shown
to the user
pointing at the host requesting it.", and so on.
Regards
More information about the openssh-unix-dev
mailing list