Hi, This may or may not cause concern for some people (considering a lot of people store all of their keys on a single client system). Snippet from draft-ietf-secsh-agent-00.txt: 2. Security Considerations This protocol is designed only to run as a channel of the SSH protocol. The goal of this extension is to ensure that the users private keys never leave the machine they are physically at. Ideally the private keys should be stored on a password protected removable media such as a smartcard. I noticed that ssh-add will add a private key to a forwarded agent, if there are no local agents started by that user - this breaks the draft specification as private keys on a local host are added to an agent running on a remote host. For example, USERA starts ssh-agent on HOSTA. USERA then ssh's to HOSTB, USERA then runs ssh-add on HOSTB, the private keys from HOSTB are then added to the ssh-agent on HOSTA. If USERA had started ssh-agent on HOSTB and then ran ssh-add, the keys would have remained on local to the system. I also noticed that if there are no local agents running a remote agent socket will show up in /tmp/ssh-XXXXXXXX/ as agent.$PID= whereas if a local agent IS running the "=" is dropped. I'm not sure if it is appropriate to apply mechanisms to ssh-add to prevent it adding local keys to a forwarded agent or if a quick addition to the man pages will suffice. If this has been discussed before I apologise, couldn't find any references to anything similar. Cheers, Dave. -- ugc Security Research http://www.ugc.org.uk/~dave
i'm not sure what you want, but the ssh-add manpage is missing a reference to SSH_AUTH_SOCK Identifies the path of a unix-domain socket used to communicate with the agent. -m On Wed, Jun 05, 2002 at 11:07:38AM +0100, Dave Ryan wrote:> Hi, > > This may or may not cause concern for some people (considering a lot of > people store all of their keys on a single client system). > > Snippet from draft-ietf-secsh-agent-00.txt: > > 2. Security Considerations > > This protocol is designed only to run as a channel of the SSH > protocol. > > The goal of this extension is to ensure that the users private keys > never leave the machine they are physically at. Ideally the private > keys should be stored on a password protected removable media such as > a smartcard. > > I noticed that ssh-add will add a private key to a forwarded agent, if > there are no local agents started by that user - this breaks the draft > specification as private keys on a local host are added to an agent > running on a remote host. > > For example, > > USERA starts ssh-agent on HOSTA. USERA then ssh's to HOSTB, USERA then > runs ssh-add on HOSTB, the private keys from HOSTB are then added to the > ssh-agent on HOSTA. > > If USERA had started ssh-agent on HOSTB and then ran ssh-add, the keys > would have remained on local to the system. > > I also noticed that if there are no local agents running a remote agent > socket will show up in /tmp/ssh-XXXXXXXX/ as agent.$PID= whereas if a > local agent IS running the "=" is dropped. > > I'm not sure if it is appropriate to apply mechanisms to ssh-add to > prevent it adding local keys to a forwarded agent or if a quick > addition to the man pages will suffice. > > If this has been discussed before I apologise, couldn't find any > references to anything similar. > > Cheers, > Dave. > > -- > ugc Security Research > http://www.ugc.org.uk/~dave > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
Nicolas.Williams at ubsw.com
2002-Jun-05 14:58 UTC
ssh-add: local private keys added to forwarded agents
The behaviour you describe does not violate the [draft] specification. Clearly, many (most!) SSH users do not store keys in smartcards or any other kind of removable media, and noone claims such behaviour to be in violation of the [draft] spec. Note the word "ideally" in the spec text you quote. Also, your statement about the agent socket names is incorrect. It is "ls -F" that is adding that '=' to the end of the socket name. Having said this, I would second any proposal that ssh-add require an additional argument to force the addition of keys to forwarded agents; this would require a mechanism to tell the difference between local and forwarded agents and, in practice, I imagine either a socket naming pattern or an environment variable's setting would be used to tell the difference, though neither approach would be foolproof. But I am not making such a proposal. I'm big enough to keep track of and know which sessions are which and which sessions have forwarded agents and which don't. Nico --> -----Original Message----- > From: Dave Ryan [mailto:dave at ugc.org.uk] > Sent: Wednesday, June 05, 2002 6:08 AM > To: openssh-unix-dev at mindrot.org > Subject: ssh-add: local private keys added to forwarded agents > > > Hi, > > This may or may not cause concern for some people > (considering a lot of > people store all of their keys on a single client system). > > Snippet from draft-ietf-secsh-agent-00.txt: > > 2. Security Considerations > > This protocol is designed only to run as a channel of the SSH > protocol. > > The goal of this extension is to ensure that the users private keys > never leave the machine they are physically at. Ideally > the private > keys should be stored on a password protected removable > media such as > a smartcard. > > I noticed that ssh-add will add a private key to a forwarded agent, if > there are no local agents started by that user - this breaks the draft > specification as private keys on a local host are added to an agent > running on a remote host. > > For example, > > USERA starts ssh-agent on HOSTA. USERA then ssh's to HOSTB, USERA then > runs ssh-add on HOSTB, the private keys from HOSTB are then > added to the > ssh-agent on HOSTA. > > If USERA had started ssh-agent on HOSTB and then ran ssh-add, > the keys > would have remained on local to the system. > > I also noticed that if there are no local agents running a > remote agent > socket will show up in /tmp/ssh-XXXXXXXX/ as agent.$PID= whereas if a > local agent IS running the "=" is dropped. > > I'm not sure if it is appropriate to apply mechanisms to ssh-add to > prevent it adding local keys to a forwarded agent or if a quick > addition to the man pages will suffice. > > If this has been discussed before I apologise, couldn't find any > references to anything similar. > > Cheers, > Dave. > > -- > ugc Security Research > http://www.ugc.org.uk/~dave > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.
>Snippet from draft-ietf-secsh-agent-00.txt: > >2. Security Considerations > > This protocol is designed only to run as a channel of the SSH > protocol. > > The goal of this extension is to ensure that the users private keys > never leave the machine they are physically at. Ideally the private > keys should be stored on a password protected removable media such as > a smartcard. > >I noticed that ssh-add will add a private key to a forwarded agent, if >there are no local agents started by that user - this breaks the draft >specification as private keys on a local host are added to an agent >running on a remote host.Since that draft is very much a work in progress and OpenSSH doesn't claim complaince with it - I don't think it is fair to hold them to it. The draft at this point is a very rough cut of thoughts in my head, you will also note that as far as technical details it is completely content free in revision -00.txt. Note also that it does say Ideally not MUST or SHOULD or any other RFC2026 keywords. -- Darren J Moffat