add keys and certificate to forwarded agent on remote host
Rory Campbell-Lange
rory at campbell-lange.net
Fri Sep 21 05:41:59 AEST 2018
On 18/09/18, Peter Moody (mindrot at hda3.com) wrote:
> On Mon, Sep 17, 2018 at 6:13 AM, Rory Campbell-Lange
> <rory at campbell-lange.net> wrote:
...
> > The problem is then to automate certificate issuance since it would be
> > pretty arduous for someone to keep issuing short-lived user
> > certificates.
> >
> > I was intrigued to read Uber's ussh announcement page and wondered if
> > this suggests a route for doing so:
> > (https://medium.com/uber-security-privacy/introducing-the-uber-ssh-certificate-authority-4f840839c5cc)
...
> > Assuming we write a program to generate a new key pair and associated
> > user certificate, how would one go about adding this to a forwarded
> > agent on the remote server hosting the program? Can ssh-add work on the
> > remote socket file? Is such an operation advisable?
...
> It's unclear if I'm ever going to be able to opensource usshca at this
> point, but I can assure that you it's definitely possible to add a
> private key (and certificate) to a forwarded ssh-agent. It might not
> be clear from the blog post, but usshca is itself an ssh server,
> albeit one that doesn't drop an authenticated user into a shell.
> openssh's sshd makes a remotely forwarded agent available locally via
> unix domain socket, but usshca just takes the remote agent and,
> assuming everything's a-ok, adds the key and cert.
Hi Peter
Thanks for the response, and the Go code snippets (unfortunately I'm not
a Go programmer). It would be great if usshca could be open-sourced in
future.
I've verified what you've written about adding keys and certificate to a
forwarded agent following Peter Stuge's helpful comments. Darren Tucker
pointed out that there is nothing to stop someone hacking their agent to
copy a key (even with a timeout), so the use of time-limited
certificates seems important.
The missing piece in the puzzle for our use case is extracting the user
from the connection by pairing their connection key to one in a user
database without having to create a local user for each remote ssh user
on the authenticating server. I assume the usshca ssh server deals with
this by allowing "username at usshca" connections for all known users?
Regards
Rory
More information about the openssh-unix-dev
mailing list