Using confirmation of key usage per-host?

Damien Miller djm at mindrot.org
Tue Feb 24 06:56:36 AEDT 2015


On Mon, 23 Feb 2015, Johannes Kastl wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Dear all,
> 
> bear with me, I know the SUBJECT sounds pretty unclear. I'll clarify
> in a minute. And please excuse that due to the keywords being unclear
> no usable help was found on google & Co...
> 
> Assume there is a workstation, which connects to multiple machines,
> one of which is considered potentially unsafe. So, it would be nice to
> have agent forwarding to that machine combined with the confirmation
> option of ssh-add (-c). If the 'forwarded key' is used on this
> machine, the user is prompted on the workstation. An intruder cannot
> use the authentication information without the user knowing (at least
> that is how I understood the idea of agent confirmation).
> 
> Using ssh-add -c on the workstation together with setting
> 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour.
> 
> Unfortunately, this means the user is asked for confirmation, each
> time the keys is used. Even if it is just to connect to a safe machine
> or without agent forwarding.
> 
> Question:
> Is it possible to just get asked for confirmation, when the key is
> used on a machine, to which agent forwarding is used? Can this be set
> on a per-host-basis, like enabling/disabling agent forwarding in
> .ssh/config?

No and no.

You might want to check the mailing list archive for the thread
"Filtering which identities are forwarded by ssh-agent to a given host"
a couple of weeks ago for a related discussion.

-d


More information about the openssh-unix-dev mailing list