Using confirmation of key usage per-host?
Jamie Beverly
jamie.beverly at yahoo.com
Tue Feb 24 10:13:52 AEDT 2015
I have a script I've used over the years for precisely this kind of wizardry. https://github.com/jbeverly/ssh_client_cmdline
The one example in bin does what CanonicalizeHostname basically does now; I don't have the agent flipping one up in git (perhaps I'll push it when I get home)
Figured I'd mention it in case it turned out to be handy.
On Monday, February 23, 2015 12:50 PM, Carson Gaspar <carson at taltos.org> wrote:
On 2/23/15 11:45 AM, Johannes Kastl wrote:
> Assume there is a workstation, which connects to multiple machines,
> one of which is considered potentially unsafe. So, it would be nice to
> have agent forwarding to that machine combined with the confirmation
> option of ssh-add (-c). If the 'forwarded key' is used on this
> machine, the user is prompted on the workstation. An intruder cannot
> use the authentication information without the user knowing (at least
> that is how I understood the idea of agent confirmation).
>
> Using ssh-add -c on the workstation together with setting
> 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour.
>
> Unfortunately, this means the user is asked for confirmation, each
> time the keys is used. Even if it is just to connect to a safe machine
> or without agent forwarding.
>
> Question:
> Is it possible to just get asked for confirmation, when the key is
> used on a machine, to which agent forwarding is used? Can this be set
> on a per-host-basis, like enabling/disabling agent forwarding in
> .ssh/config?
You'll need to run 2 agents if you want different agent behaviour. Sadly
I don't know of any way to select which agent gets used in ssh_config -
you'd also have to wrap ssh to flip the SSH_AUTH_SOCK env var.
--
Carson
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list