Is there any solution, or even work on, limiting which keys gets forwarded where?
Phil Pennock
phil.pennock at globnix.org
Tue Oct 20 10:35:30 AEDT 2015
On 2015-10-16 at 12:47 +0200, hubert depesz lubaczewski wrote:
> But the flip side is that using agent opens access to all keys in it
> from any connected host :(
I scripted a setup which generates different `config` and `known_hosts`
files in ~/.ssh and has a wrapper around invoking ssh which uses those
files. The wrapper looks in an index file (also generated) to decide
which ssh-keys need to be loaded for which destinations and starts a
dedicated ssh-agent before connecting.
This works well for our use-case. Persistent connection to a jump-host;
SSH key to reach the jump-host doesn't need to be (and isn't) the key
which is loaded into the agent (so that the key passed around for use
remotely does not grant access to the perimeter). It's not the cleanest
and requires strict hygiene to protect against people helpfully setting
the internal key to grant access to the perimeter class of machines.
The core boils down to (with some renaming):
eval $(ssh-agent -s)
#... stuff including loading the correct keys
if ssh-add -l >|/dev/null 2>&1 ; then
true # all is good
else
echo >&2 "${0}: WARNING: NO SSH KEYS FOUND LOADED INTO AGENT"
eval $(ssh-agent -k)
exit 1
fi
set +e
${SSH_CMD:-ssh} -F "${YourSpecialConfigFile:?}" "$@"
exit_status=$?
set -e
eval $(ssh-agent -k)
exit $exit_status
where the stanzas in the config file should include:
IdentityFile path/to/perimeter/access
IdentitiesOnly yes
UserKnownHostsFile ~/.ssh/your_special_config_file
StrictHostKeyChecking yes
ForwardAgent yes
-Phil
More information about the openssh-unix-dev
mailing list