bugzilla-daemon at bugzilla.mindrot.org
2016-May-15 09:59 UTC
[Bug 1499] Add "ForwardAgent ask" to ssh_config
https://bugzilla.mindrot.org/show_bug.cgi?id=1499 Simon Arlott <bugzilla.mindrot-org.simon at arlott.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla.mindrot-org.simon@ | |arlott.org --- Comment #5 from Simon Arlott <bugzilla.mindrot-org.simon at arlott.org> --- I have gpg-agent set up to ask me to confirm each use of the key for authentication so that each act of forwarding by a remote host is confirmed. This gets extremely annoying when I make lots of connections from my local host as I already have to trust my own "ssh" command so it should not need to prompt for this. (In reply to Damien Miller from comment #3)> I had something more simple in mind: have ssh(1) send a magic > request (SSH_AGENTC_CONSTRAIN_CHANNEL / > SSH2_AGENTC_CONSTRAIN_CHANNEL) that marks the entire listen socket > as "untrusted" rather than doing it on a per-request basis.I'd like this because it'd solve my problem by allowing gpg-agent to only request confirmation on subsequent authentication requests. It would be helpful if ssh could include a "user at host" in the constrain message, so that this could also be displayed, providing some context as requested by bug 1876. (In reply to Damien Miller from comment #3)> To go further than this, it might be possible to sign agent requests > with the host keys (or some derivative thereof) of each intervening > host that the agent is forwarded through, but this would need careful > design and analysis. It wouldn't be trivially backwards compatible > like this proposal either.If you wanted to provide context for different remote hosts, you could have each agent forwarding socket create a new connection all the way back to the original ssh client, and use multiple "constraint channel" messages to indicate the path. When you're using a forwarded agent and ssh elsewhere, a new agent connection would be made and each ssh client up the path to the original host could add its own constrain message indicating where it had connected to. You'd have to trust each host in the path to tell you where it's connecting to but this is already the case. Even if the agent requests were signed, or you could prove that you were connecting to a known remote host and the key data would only work on that one authentication, you can't necessarily trust the remote host not to do something malicious with your connection. Knowing the path you (appear to) take to reach the new remote host is the one you expect would be enough. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Reasonably Related Threads
- [Bug 1499] New: Add "ForwardAgent ask" to ssh_config
- [Bug 1499] Add "ForwardAgent ask" to ssh_config
- Patch to add "warn" value to ForwardX11 and ForwardAgent
- Unintended key info disclosure via ForwardAgent?
- ability to select which identity to forward when using "ForwardAgent" ?