[Bug 1499] Add "ForwardAgent ask" to ssh_config

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun May 15 19:59:01 AEST 2016 

https://bugzilla.mindrot.org/show_bug.cgi?id=1499

Simon Arlott <bugzilla.mindrot-org.simon at arlott.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugzilla.mindrot-org.simon@
                   |                            |arlott.org

--- Comment #5 from Simon Arlott <bugzilla.mindrot-org.simon at arlott.org> ---
I have gpg-agent set up to ask me to confirm each use of the key for
authentication so that each act of forwarding by a remote host is
confirmed.

This gets extremely annoying when I make lots of connections from my
local host as I already have to trust my own "ssh" command so it should
not need to prompt for this.

(In reply to Damien Miller from comment #3)
> I had something more simple in mind: have ssh(1) send a magic
> request (SSH_AGENTC_CONSTRAIN_CHANNEL /
> SSH2_AGENTC_CONSTRAIN_CHANNEL) that marks the entire listen socket
> as "untrusted" rather than doing it on a per-request basis.

I'd like this because it'd solve my problem by allowing gpg-agent to
only request confirmation on subsequent authentication requests.

It would be helpful if ssh could include a "user at host" in the constrain
message, so that this could also be displayed, providing some context
as requested by bug 1876.


(In reply to Damien Miller from comment #3)
> To go further than this, it might be possible to sign agent requests
> with the host keys (or some derivative thereof) of each intervening
> host that the agent is forwarded through, but this would need careful
> design and analysis. It wouldn't be trivially backwards compatible
> like this proposal either.

If you wanted to provide context for different remote hosts, you could
have each agent forwarding socket create a new connection all the way
back to the original ssh client, and use multiple "constraint channel"
messages to indicate the path.

When you're using a forwarded agent and ssh elsewhere, a new agent
connection would be made and each ssh client up the path to the
original host could add its own constrain message indicating where it
had connected to. You'd have to trust each host in the path to tell you
where it's connecting to but this is already the case.

Even if the agent requests were signed, or you could prove that you
were connecting to a known remote host and the key data would only work
on that one authentication, you can't necessarily trust the remote host
not to do something malicious with your connection. Knowing the path
you (appear to) take to reach the new remote host is the one you expect
would be enough.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list