Unable to use ssh-agent with confirmation, when logged in on a virtual terminal

Emanuel Rietveld e.j.rietveld at gmail.com
Tue Mar 3 08:50:32 AEDT 2015


>I mostly found this option mentioned in connection with agent forwarding,
and that's  use  case I have.
>
>The benefit being that no one can use the 'forwarded' key/identity, unless
I confirm it. So me forwarding my identity to a server getting hacked does
not  compromise security.

I'm using the below script to prompt for confirmation when agent
forwarding. Please keep in mind the following disclaimer: I don't really
know what I'm doing. It works for me, but I don't fully understand all the
moving parts and that it works *for now* could just be a happy accident.

#!/bin/bash
set -o errexit
set -o nounset

# This script is useful when forwarding your agent to an untrusted
server. It works without X.
#
# To use this script, export DISPLAY=FAKE
SSH_ASKPASS=/path/to/this/script SSH_ASKPASS_TTY=$(tty)
# before you do eval `ssh-agent` (these variables should end up in the
environment ssh-agent runs in)
# Then add keys to the agent with ssh-add -c /path/to/key
# ssh-agent will then call this script to ask you for confirmation
when asked for that key.
#
# DISPLAY and SSH_ASKPASS must be set so this script will be called at
all. Once we're in this script,
# it is not clear what terminal we should ask for confirmation on,
since ssh-agent detaches from the tty.
# That's why we pass the tty in as an environment variable as well.

# Connect stdin, stdout, and stderr to the tty
exec 0<"$SSH_ASKPASS_TTY"
exec 1>"$SSH_ASKPASS_TTY"
exec 2>"$SSH_ASKPASS_TTY"

# We're most likely being called when the tty is already in used by
ssh, which changes tty settings.
# First set the tty to something sane, so we can ask for confirmation.
original_tty_settings=$(stty -g)
stty sane

# $@ is passed in from ssh-agent, and includes which key is being requested.
echo "$@"
# 5 second timeout
read -t5 answer

# Restore the tty settings that ssh was using.
stty "$original_tty_settings"

# Zero exit status means we approve this authentication request.
if [[ "$answer" == "y" ]]; then
  exit 0
fi

exit 1


More information about the openssh-unix-dev mailing list