[Bug 1499] Add "ForwardAgent ask" to ssh_config

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Sep 1 16:23:02 EST 2009 

https://bugzilla.mindrot.org/show_bug.cgi?id=1499



--- Comment #3 from Damien Miller <djm at mindrot.org> 2009-09-01 16:23:01 EST ---
I had something more simple in mind: have ssh(1) send a magic request
(SSH_AGENTC_CONSTRAIN_CHANNEL / SSH2_AGENTC_CONSTRAIN_CHANNEL) that
marks the entire listen socket as "untrusted" rather than doing it on a
per-request basis. This has a couple of advantages:

1) no need to extend the per-request agent protocol. Presently unknown
requests are refused without killing the protocol, so ssh(1) can make
up its mind on whether to drop the connection if the agent refused the
constraint (e.g. to be determined by the ExitOnForwardingFailure
option)

2) a compromised ssh(1) can't like and get use of the keys after
connection. Since the agent connection is established before much
interaction with the server, there isn't much opportunity for a hostile
server to corrupt the client. Even if a ssh(1) is owned later, the
CONSTRAIN_CHANNEL message is irrevocable so the user has at least some
chance to see if something is awry. This might matter in some
configurations where ssh(1) is sandboxed in some way.

There are some caveats though:

1) ssh needs to learn to interpret (a subset of) the agent protocol.
Right now the agent is pretty much a dumb pipe.

2) We need to find some weasel wording for the manpage to explain the
trust relationship between the agent and the ssh client. Right now
there isn't much of one, but with this change ssh(1) will be trusted to
correctly label connections.

To go further than this, it might be possible to sign agent requests
with the host keys (or some derivative thereof) of each intervening
host that the agent is forwarded through, but this would need careful
design and analysis. It wouldn't be trivially backwards compatible like
this proposal either.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list