reply_to_list
2004-Jun-20 00:00 UTC
key management with ssh-agent, IdentityFile and info leakage
editors note: just now found something about IdentitiesOnly that might do the trick. there's some other stuff in here too. about preventing info leakage [keys for other sites] from appearing in the client<-->server key negotiation with ssh-agent and IdentityFile. ssh/config:IdentityFile - seems to indicate that only the specified key will be tried, and if that key fails, no other keys will be tried. however, the tests further below prove otherwise. it would be great if IdentityFile would indeed try only the specified key by doing a lookup for it in the list of the running agent and/or on disk. preserve the existing [broken?] personality by adding something like: IdentityFileExclusive key - try to locate and use this single key only. IdentityFilePrefer (agent|disk|agentdisk|diskagent) - use this single location or try this multiple location search order. for when the loaded key differs from the disk key of the same name because some management app is swapping keys around and a configurable source would be handy. IdentityFileDefault (yes|no) - try the defkeys if available. IdentityFileDefaultOrder (first|last) - in this order. ordering - if multiple IdentityFile's exist in a section, try in the order listed. the ability to [un]lock specific keys in the agent in addition to the entire agent might also be useful. ssh-add -l would then show which keys are locked. ssh-add -[X|x] [key]. note - -i, -o should take precedence always. then deal with agent/files as above. 1. cmdline 2. usercfg 3. syscfg OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090703f yeah, yeah... test key generation... cd ~/.ssh ; rm id* ssh-keygen -t dsa -b 512 -N defpass -C defkey -f id_dsa for key in a b c ; do ssh-keygen -t dsa -b 512 -N ${key}pass -C ${key}key -f id_dsa_$key done ssh host 'cat > .ssh/authorized_keys' < id_dsa_c.pub colon fields - the test state srvkey - key contained in authorized_keys on the server cfgkey - key specified in client config file for that host agekey - key set loaded in agent, in load order defkey - default key name non colon fields - test result from this test number... ssh -vvv host find /tmp 2>&1 | egrep '/tmp/ssh-|id_dsa' ignore the tmp stuff, used for checking ForwardAgent. agekey - this agent key was tried cfgkey - this config key was tried defkey - this key was tried summary... exposed might not be the right word first, all available agekeys are exposed second, the cfgkeys are exposed third, the defkey is exposed fourth, other configured non-key methods are tried [not shown] setup... srvkey: c cfgkey: a defkey: id_dsa test 1... agekey: none cfgkey a test 2... agekey: c agekey c test 3... agekey: b agekey b cfgkey a test 4... agekey: a agekey a cfgkey a test 5... agekey: b a agekey b agekey a cfgkey a test 6... agekey: defkey a c agekey defkey agekey a agekey c srvkey: b test 7... agekey: c defkey a b agekey c agekey defkey agekey a agekey b 512 d3:3f:d4:1c:b2:1e:53:1e:16:92:77:80:24:db:cb:78 id_dsa_c (DSA) 512 2b:f5:bc:22:fd:2e:97:c5:6b:24:9a:5e:32:a6:51:2e id_dsa (DSA) 512 82:18:ff:64:53:49:e5:b1:d4:4f:1b:4b:88:b4:cf:1e id_dsa_a (DSA) 512 30:12:77:c5:59:09:21:62:06:e7:d7:7e:bc:8a:aa:91 id_dsa_b (DSA)
Seemingly Similar Threads
- Hi - Regarding xend - xm create Error
- [Bug 410] New: when -i or IdentityFile is specified, agent keys are still tried first
- [Bug 410] when -i or IdentityFile is specified, agent keys are still tried first
- [Bug 1898] possible unreasonable behaviour when using ProxyCommand with multiple IdentityFile(s)
- [Bug 1898] possible unreasonable behaviour when using ProxyCommand with multiple IdentityFile(s)