-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all, bear with me, I know the SUBJECT sounds pretty unclear. I'll clarify in a minute. And please excuse that due to the keywords being unclear no usable help was found on google & Co... Assume there is a workstation, which connects to multiple machines, one of which is considered potentially unsafe. So, it would be nice to have agent forwarding to that machine combined with the confirmation option of ssh-add (-c). If the 'forwarded key' is used on this machine, the user is prompted on the workstation. An intruder cannot use the authentication information without the user knowing (at least that is how I understood the idea of agent confirmation). Using ssh-add -c on the workstation together with setting 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour. Unfortunately, this means the user is asked for confirmation, each time the keys is used. Even if it is just to connect to a safe machine or without agent forwarding. Question: Is it possible to just get asked for confirmation, when the key is used on a machine, to which agent forwarding is used? Can this be set on a per-host-basis, like enabling/disabling agent forwarding in .ssh/config? One workaround I could think if would be to use a separate ssh key just for that machine, and just add that one with the ssh-add -c option. Any hints? Thanks in advance, Johannes - -- `Voldemort himself created his worst enemy, just as tyrants everywhere do! Have you any idea how much tyrants fear the people they oppress? All of them realise that, one day [...]there is sure to be one who rises against them and strikes back.? (Harry Potter 6) -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlTrg2MACgkQzi3gQ/xETbLqQACdG0fpMXJQPku9yiTj1tVnDMfY BpEAn1hIqIPsuWKSbgXwCd8djmITATMH =esSH -----END PGP SIGNATURE-----
On Mon, 23 Feb 2015, Johannes Kastl wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dear all, > > bear with me, I know the SUBJECT sounds pretty unclear. I'll clarify > in a minute. And please excuse that due to the keywords being unclear > no usable help was found on google & Co... > > Assume there is a workstation, which connects to multiple machines, > one of which is considered potentially unsafe. So, it would be nice to > have agent forwarding to that machine combined with the confirmation > option of ssh-add (-c). If the 'forwarded key' is used on this > machine, the user is prompted on the workstation. An intruder cannot > use the authentication information without the user knowing (at least > that is how I understood the idea of agent confirmation). > > Using ssh-add -c on the workstation together with setting > 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour. > > Unfortunately, this means the user is asked for confirmation, each > time the keys is used. Even if it is just to connect to a safe machine > or without agent forwarding. > > Question: > Is it possible to just get asked for confirmation, when the key is > used on a machine, to which agent forwarding is used? Can this be set > on a per-host-basis, like enabling/disabling agent forwarding in > .ssh/config?No and no. You might want to check the mailing list archive for the thread "Filtering which identities are forwarded by ssh-agent to a given host" a couple of weeks ago for a related discussion. -d
On 2/23/15 11:45 AM, Johannes Kastl wrote:> Assume there is a workstation, which connects to multiple machines, > one of which is considered potentially unsafe. So, it would be nice to > have agent forwarding to that machine combined with the confirmation > option of ssh-add (-c). If the 'forwarded key' is used on this > machine, the user is prompted on the workstation. An intruder cannot > use the authentication information without the user knowing (at least > that is how I understood the idea of agent confirmation). > > Using ssh-add -c on the workstation together with setting > 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour. > > Unfortunately, this means the user is asked for confirmation, each > time the keys is used. Even if it is just to connect to a safe machine > or without agent forwarding. > > Question: > Is it possible to just get asked for confirmation, when the key is > used on a machine, to which agent forwarding is used? Can this be set > on a per-host-basis, like enabling/disabling agent forwarding in > .ssh/config?You'll need to run 2 agents if you want different agent behaviour. Sadly I don't know of any way to select which agent gets used in ssh_config - you'd also have to wrap ssh to flip the SSH_AUTH_SOCK env var. -- Carson
Hi Damien, Am 23. Februar 2015 20:56:36 MEZ, schrieb Damien Miller <djm at mindrot.org>:> > >No and no. > >You might want to check the mailing list archive for the thread >"Filtering which identities are forwarded by ssh-agent to a given host" >a couple of weeks ago for a related discussion. > >-dThanks for the quick answer. I'll have a look at this thread. So only the different key workaround might help, right? Regards, Johannes -- This mail has been sent from my mobile phone. Please excuse the briefness. This mail is not signed cryptographically.
I have a script I've used over the years for precisely this kind of
wizardry.?https://github.com/jbeverly/ssh_client_cmdline
The one example in bin does what CanonicalizeHostname basically does now; I
don't have the agent flipping one up in git (perhaps I'll push it when I
get home)
Figured I'd mention it in case it turned out to be handy.
On Monday, February 23, 2015 12:50 PM, Carson Gaspar <carson at
taltos.org> wrote:
On 2/23/15 11:45 AM, Johannes Kastl wrote:> Assume there is a workstation, which connects to multiple machines,
> one of which is considered potentially unsafe. So, it would be nice to
> have agent forwarding to that machine combined with the confirmation
> option of ssh-add (-c). If the 'forwarded key' is used on this
> machine, the user is prompted on the workstation. An intruder cannot
> use the authentication information without the user knowing (at least
> that is how I understood the idea of agent confirmation).
>
> Using ssh-add -c on the workstation together with setting
> 'ForwardAgent=yes' in the .ssh/config achieves the desired
behaviour.
>
> Unfortunately, this means the user is asked for confirmation, each
> time the keys is used. Even if it is just to connect to a safe machine
> or without agent forwarding.
>
> Question:
> Is it possible to just get asked for confirmation, when the key is
> used on a machine, to which agent forwarding is used? Can this be set
> on a per-host-basis, like enabling/disabling agent forwarding in
> .ssh/config?
You'll need to run 2 agents if you want different agent behaviour. Sadly
I don't know of any way to select which agent gets used in ssh_config -
you'd also have to wrap ssh to flip the SSH_AUTH_SOCK env var.
--
Carson
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Maybe Matching Threads
- vulnerability with ssh-agent
- ability to select which identity to forward when using "ForwardAgent" ?
- Changing dnsmasq DNS settings for virtual machines
- Re: Changing dnsmasq DNS settings for virtual machines
- How to use ssh -i with a key from ssh-agent rather than from a file?