Using two agents

Sun May 31 01:25:13 AEST 2015

On Sat, May 30, 2015 at 10:38 AM, Phil Pennock <phil.pennock at globnix.org> wrote:
> On 2015-05-30 at 15:00 +0200, Kasper Dupont wrote:
>> On my laptop I have key1 and key2. I can use key1 to log in
>> on server1, and I can use key2 to log in on server2. I want
>> neither key to leave the laptop, and only key2 is allowed
>> to be forwarded to other hosts.
>
> As validation for what Kasper is saying, so that others know that it's
> not just him:
>
> $work would use the feature you describe.  At present, the key1 that you
> describe is unencrypted :( but is used for perimeter access, while key2
> is used for intra-cluster access, but because it's forwarded onto less
> trusted hosts, can't be allowed to be used for getting into the cluster
> in the first place -- we constrain the impact of a breach.  Not ideal.
>
> We'd like to move to using transient certificates issued for perimeter
> access, using OpenSSH CA, but that requires that the key1 role be loaded
> from an agent.  If we move to the same transient certificate used for
> the key2 role then we get all the benefits of short-lived proof, but we
> lose our containment of impact of breach.
>
> So if you come up with a solution letting the ssh(1) command be told to
> use one agent for auth to the remote host but to pass a different agent
> as the forwarded auth signer, we would use it too.

The workable, but fugly solution is to load an ssh-agent with the keys
you want in environment two, keep a local unencrypted private key for
permiter access to environment one stored in a shielded, protected,
ideally locally disk partition encrypted location, and set up
$HOME/.ssh/config with a "Host" entry to specify that
non-standard-location unencrypted key location to use for accessing
that permiter host or those perimeter hosts. I don't like this
solution myself, but it satisfies all the stated requirements of "I
don't want to keep typing my perimeter key passphrase"

I'll also point out that with Gnome and KDE there are wallets to hold
keys and to unlock them once in the wallet that might be useful.

Another workaround is to set an ssh-agent with both keys and
automatically delete that first key, if present, in your .bashrc or
.login procedures in the remote account. That doesn't keep the first
private key around for repeated logins, but that might be enough for
some circumstances.

Mind you, I've never been complete thrilled with ssh-agent. If you
really want to segregate credentials for different environments, you
might look into Kerberos based authentication, which can provide a
very different approach to finer grained credential management. I just
wish I could get it to work with Subversion.....