Filtering which identities are forwarded by ssh-agent to a given host
Ángel González
keisial at gmail.com
Wed Feb 4 09:27:28 AEDT 2015
On 02/02/15 03:53, Damien Miller wrote:
> On Mon, 2 Feb 2015, ?ngel Gonz?lez wrote:
>
>> IMHO the way to go is not teach ssh the agent protocol, but modify the agent
>> protocol so that each request gets prepended the hostname requesting it
>> (forwarded connections would contain the full chain)
> Then you have to modify all of ssh, sshd and ssh-agent and doesn't
> work until they are all upgraded.
Only ssh-agent and ssh (and the change to the former could be trivial)
> Moreover, unless you include signing (by the hostkey) for forwarded hops
> and verification of same at the agent side, then you can't trust anything
> past the first hop.
I wasn't attempting to go that far. Just accountability, similar to how
Received:
headers work in SMTP. And yes, you can't trust anything past the first
evil hop.
Still, I see many benefits compared to the current all-or-nothing agent
trust.
(Of course, to be really sure that nobody intercepts the agent request,
you MUST
perform the ssh connection locally, with a ProxyCommand. Full Stop)
More information about the openssh-unix-dev
mailing list