Proposal for hardening agent forwarding
James Bottomley
James.Bottomley at HansenPartnership.com
Sun Mar 14 04:14:21 AEDT 2021
On Fri, 2021-03-12 at 07:00 +0000, Mitchell Blank Jr wrote:
> Hello.
>
> This week I've been experimenting with some hardening of the agent-
> forwarding process. I know there have been other proposals in the
> past, but I thought I'd share what I have in case they are of any
> upstream interest.
>
> For easier review (and to spare your inboxes) I just opened it as a
> PR on the openssh-portable github mirror here:
> https://github.com/openssh/openssh-portable/pull/233
>
> In short it's similar functionality to Timo Weingärtner's ssh-agent-
> filter tool that many are probably already familiar with, but
> integrated directly into the openssh client.
>
> I just did this for my own use-case, but if some of it is interesting
> as an upstream addition feel free to re-use whatever parts you want.
Filtering the keys by connection would block my usual use case: bastion
hosts that only do rsa. My TPM is pretty slow at RSA so I usually use
ecdsa for the onward connection to make the total time to connect to
the interior host vaguely bearable.
If -c enough, what about logging all connections so you can verify
after the fact you weren't hacked ... a sort of transparency log
approach which is very popular today?
James
More information about the openssh-unix-dev
mailing list