Bill Nugent
2015-Feb-01 12:52 UTC
Filtering which identities are forwarded by ssh-agent to a given host
Howdy, I'm looking for a way to restrict which ssh keys are forwarded to a given remote host because we have several ssh domains. That is, I have two keys which I use throughout the day: .ssh/network-a-2014-10-12 .ssh/network-b-2014-11-22 I need to forward my network A key to the ssh gateway host for Network A to allow me to log into hosts on the other side of the gateway but I can't have the key for Network B to be forwarded. Similar thing for Network B. Deleting and adding is painful at best. I've experimented with IdentiesOnly=yes and IdentityFiles but on the network A gateway I still see all of my loaded keys including Network B. Is there a way to do this already? If not, would a Buzilla enhancement request be welcome? Perhaps requesting something along the lines of: Host network-a-gateway.example.com ForwardIdentity .ssh/network-a-2014-10-12 and allow additional ForwardIndenty to allow additional keys. Thank you, Bill
Alon Bar-Lev
2015-Feb-01 13:05 UTC
Filtering which identities are forwarded by ssh-agent to a given host
On Sun, Feb 1, 2015 at 2:52 PM, Bill Nugent <whn at lopi.com> wrote:> > Howdy, > > I'm looking for a way to restrict which ssh keys are forwarded to a > given remote host because we have several ssh domains. That is, I have > two keys which I use throughout the day: > .ssh/network-a-2014-10-12 > .ssh/network-b-2014-11-22I think best is to run two agents, load keys of each network to each agent and at that context use ssh.> > I need to forward my network A key to the ssh gateway host for Network A > to allow me to log into hosts on the other side of the gateway but I > can't have the key for Network B to be forwarded. Similar thing for > Network B. Deleting and adding is painful at best. I've experimented > with IdentiesOnly=yes and IdentityFiles but on the network A gateway I > still see all of my loaded keys including Network B. Is there a way to > do this already? If not, would a Buzilla enhancement request be > welcome? Perhaps requesting something along the lines of: > > Host network-a-gateway.example.com > ForwardIdentity .ssh/network-a-2014-10-12 > and allow additional ForwardIndenty to allow additional keys.Maybe a simpler and more secure alternative can be having AgentEnvironmentKey or something similar to enable ssh to use multiple agents based on the Host's ssh_config, so you actually refer to agent and not specific keys that are shared within single agent.> > Thank you, > Bill > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Ángel González
2015-Feb-01 19:15 UTC
Filtering which identities are forwarded by ssh-agent to a given host
On 01/02/15 13:52, Bill Nugent wrote:> Howdy, > > I'm looking for a way to restrict which ssh keys are forwarded to a > given remote host because we have several ssh domains. That is, I have > two keys which I use throughout the day: > .ssh/network-a-2014-10-12 > .ssh/network-b-2014-11-22 > > I need to forward my network A key to the ssh gateway host for Network A > to allow me to log into hosts on the other side of the gateway but I > can't have the key for Network B to be forwarded. Similar thing for > Network B. Deleting and adding is painful at best. I've experimented > with IdentiesOnly=yes and IdentityFiles but on the network A gateway I > still see all of my loaded keys including Network B. Is there a way to > do this already? If not, would a Buzilla enhancement request be > welcome? Perhaps requesting something along the lines of:In addition of using two agents, you can stop forwarding your keys to the gateway. Instead, use a ProxyCommand to locally establish the connection to the hosts inside (you will pass through the gateway, but the ssh process is local, and will honor your IdentityFile setting). The problem was that the IdentityFile was being honored by the ssh at the gateway host, the agent doesn't have that knowledge. Cheers
Damien Miller
2015-Feb-01 23:18 UTC
Filtering which identities are forwarded by ssh-agent to a given host
On Sun, 1 Feb 2015, Bill Nugent wrote:> Howdy, > > I'm looking for a way to restrict which ssh keys are forwarded to a > given remote host because we have several ssh domains. That is, I have > two keys which I use throughout the day: > .ssh/network-a-2014-10-12 > .ssh/network-b-2014-11-22 > > I need to forward my network A key to the ssh gateway host for Network A > to allow me to log into hosts on the other side of the gateway but I > can't have the key for Network B to be forwarded. Similar thing for > Network B. Deleting and adding is painful at best. I've experimented > with IdentiesOnly=yes and IdentityFiles but on the network A gateway I > still see all of my loaded keys including Network B. Is there a way to > do this already? If not, would a Buzilla enhancement request be > welcome? Perhaps requesting something along the lines of: > > Host network-a-gateway.example.com > ForwardIdentity .ssh/network-a-2014-10-12 > and allow additional ForwardIndenty to allow additional keys.It's not possible to do this unfortunately, but is a feature that I've wanted for a long time. Implementing it required teaching ssh enough of the agent protocol to filter requests sent through it, and doing it exactly right so that users' agents aren't exposed when they connect to a malicious server - so it's not without risk. I'd still like to implement it one day, but I'm not likely to get to it any time soon (I can't speak for the other developers). OTOH you could probably write an "agent proxy" pretty easily that presented it's own SSH_AUTH_SOCK to ssh and massaged the requests and replies going through it to the real agent. E.g. agentproxy -i ~/.ssh/id_rsa_xyzzy.pub ssh -tt xyzzy-bastion ssh xyzzy This way you get to write it in the language of your choice :) The agent protocol is pretty simple and is documented in the PROTOCOL.agent file in the OpenSSH distribution, or at https://anongit.mindrot.org/openssh.git/plain/PROTOCOL.agent -d
Ángel González
2015-Feb-01 23:48 UTC
Filtering which identities are forwarded by ssh-agent to a given host
On 02/02/15 00:18, Damien Miller wrote:> On Sun, 1 Feb 2015, Bill Nugent wrote: >> Host network-a-gateway.example.com >> ForwardIdentity .ssh/network-a-2014-10-12 >> and allow additional ForwardIndenty to allow additional keys. > It's not possible to do this unfortunately, but is a feature that I've > wanted for a long time. Implementing it required teaching ssh enough > of the agent protocol to filter requests sent through it, and doing > it exactly right so that users' agents aren't exposed when they connect > to a malicious server - so it's not without risk.IMHO the way to go is not teach ssh the agent protocol, but modify the agent protocol so that each request gets prepended the hostname requesting it (forwarded connections would contain the full chain) Then the agent itself would decide which keys to expose to such host. "foo is available for any host", "Provide network-a-key only to ssh.network-a.com and anything that passed through ssh.network-a.com." "Key bar is shown to all hosts but a confirmation dialog will be shown to the user pointing at the host requesting it.", and so on. Regards